Expose NLS to internet

[xdatanet]

If I would to expose my NLS to internet in order to capture logs from different geografical location, does SSL/TLS capture log guarantees anyone to send me logs through this channel/port (in example 7777) or does it only encrypt the traffic?

I'm sorry but I cannot understand if I can use NLS in order to capture from env different from a simple LAN (or VPN connected to a LAN).

Regards,
Graziano.

[ssax]

If you're going to expose your NLS server to the internet you should use network firewall rules (and local firewall rules to be safe) to block access from unknown systems to mitigate risk.

The logs would be sent encrypted (which requires configuration on the sender to encrypt) and when received in NLS it would decrypt them.

As long as you have network connectivity it doesn't matter if the logs come from public or private addresses (VPNs included).

[xdatanet]

So, do you mean that SSL/TLS only encrypts the logs but does not avoid any sources to send logs over the port?

Is it right?

Regards,
Graziano.

[ssax]

Correct.

While it's possible to do that by setting 'ssl_verify => true' (to verify the peer cert) in your logstash input:

https://assets.nagios.com/downloads/nag ... th-SSL.pdf
https://www.elastic.co/guide/en/logstas ... ssl_verify

It should not be your only defense, you should still limit it by firewall rules to prevent your system from being accessed by nefarious actors. For example, say in the future an exploit is found for the TCP SSL input in logstash, by you leaving it accessible to the world it leaves you vulnerable to the exploit. It's just good practice to limit access to your public facing systems through firewall rules to prevent nefarious actors from even being able to access them/scan them/exploit them in the first place.