If I would to expose my NLS to internet in order to capture logs from different geografical location, does SSL/TLS capture log guarantees anyone to send me logs through this channel/port (in example 7777) or does it only encrypt the traffic?
I'm sorry but I cannot understand if I can use NLS in order to capture from env different from a simple LAN (or VPN connected to a LAN).
Regards,
Graziano.
Expose NLS to internet
Re: Expose NLS to internet
If you're going to expose your NLS server to the internet you should use network firewall rules (and local firewall rules to be safe) to block access from unknown systems to mitigate risk.
The logs would be sent encrypted (which requires configuration on the sender to encrypt) and when received in NLS it would decrypt them.
As long as you have network connectivity it doesn't matter if the logs come from public or private addresses (VPNs included).
The logs would be sent encrypted (which requires configuration on the sender to encrypt) and when received in NLS it would decrypt them.
As long as you have network connectivity it doesn't matter if the logs come from public or private addresses (VPNs included).
Re: Expose NLS to internet
So, do you mean that SSL/TLS only encrypts the logs but does not avoid any sources to send logs over the port?
Is it right?
Regards,
Graziano.
Is it right?
Regards,
Graziano.
Re: Expose NLS to internet
Correct.
While it's possible to do that by setting 'ssl_verify => true' (to verify the peer cert) in your logstash input:
https://assets.nagios.com/downloads/nag ... th-SSL.pdf
https://www.elastic.co/guide/en/logstas ... ssl_verify
It should not be your only defense, you should still limit it by firewall rules to prevent your system from being accessed by nefarious actors. For example, say in the future an exploit is found for the TCP SSL input in logstash, by you leaving it accessible to the world it leaves you vulnerable to the exploit. It's just good practice to limit access to your public facing systems through firewall rules to prevent nefarious actors from even being able to access them/scan them/exploit them in the first place.
While it's possible to do that by setting 'ssl_verify => true' (to verify the peer cert) in your logstash input:
https://assets.nagios.com/downloads/nag ... th-SSL.pdf
https://www.elastic.co/guide/en/logstas ... ssl_verify
It should not be your only defense, you should still limit it by firewall rules to prevent your system from being accessed by nefarious actors. For example, say in the future an exploit is found for the TCP SSL input in logstash, by you leaving it accessible to the world it leaves you vulnerable to the exploit. It's just good practice to limit access to your public facing systems through firewall rules to prevent nefarious actors from even being able to access them/scan them/exploit them in the first place.