Page 1 of 1
Supported TLS ciphers
Posted: Mon Sep 11, 2017 2:39 am
by mfur
We are running Nagios Log Server 1.4.4 and not receiving any logs from Bluemix for the past weeks. Reponse from Bluemix support about issue is that supported TLS ciphers in loggregator have changed to the following:
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Nagios input configuration:
Code: Select all
tcp {
type => 'bluemix'
port => 5545
ssl_cacert => "/etc/pki/tls/certs/rootCA.pem"
ssl_cert => "/etc/pki/tls/certs/device-nls.crt"
ssl_key => "/etc/pki/tls/private/device-nls.key"
ssl_enable => true
}
How to resolve the issue? Thank you.
Re: Supported TLS ciphers
Posted: Mon Sep 11, 2017 8:19 am
by mcapra
This appears to be a known issue with the logstash-input-tcp plugin:
https://github.com/logstash-plugins/log ... /issues/72
You could pass the (unencrypted) Bluemix traffic off to a local rsyslog or
Beats instance, then have those intermediaries use a compatible cipher suite and be responsible for the encryption and shipping to Nagios Log Server. However, if those specific cipher suites are a business requirement, that is a non-starter.
Re: Supported TLS ciphers
Posted: Mon Sep 11, 2017 12:25 pm
by tacolover101
to add on to what @mcapra mentioned. I imagine you could also accomplish this using a load balancer / reverse proxy to preserve the SSL connection, and pass on to NLS from there. (could allow you to meet the potential business requirement)
Re: Supported TLS ciphers
Posted: Mon Sep 11, 2017 1:29 pm
by cdienger
Hi mfur,
Did mcapra's and taco's suggestion help?
Re: Supported TLS ciphers
Posted: Tue Sep 12, 2017 2:20 am
by mfur
Thank you for your insights. Unfortunately that means that there is no easy solution for us. Local rsyslog instance is not an option at the source at Bluemix. I am looking at ways to terminate TLS connection at destination server and pass it on to NLS as @tacolover101 suggested. Any practical ideas? Could OpenSSH (tunnel) accomplish that?
Re: Supported TLS ciphers
Posted: Tue Sep 12, 2017 1:56 pm
by cdienger
Configuring rsyslog to accept inbound secure connections should be doable but would require some custom config and possibly upgrading the existing version and other components. This could lead to other problems on the box so I'd suggest testing this on a lab machine first possible. Bluemix appears to also be able to push logs via https so the same could be said for the local Apache install.
Once the machine is able to get the logs from Bluemix, you could use the syslog(
https://www.elastic.co/guide/en/logstas ... yslog.html) or file(
https://www.elastic.co/guide/en/logstas ... -file.html) inputs to import logs to the local NLS.
Re: Supported TLS ciphers
Posted: Mon Oct 02, 2017 7:31 am
by mfur
To anyone facing the same issue: installing HAProxy on same server that runs Nagios Log Server and configuring it to terminate TLS connection and forward data to Nagios solved issue for us. Setting up HAProxy is simple.
haproxy.cfg example configuration:
Code: Select all
global
maxconn 10000
stats socket /var/run/haproxy.stat mode 600 level admin
log 127.0.0.1 local2
chroot /var/empty
daemon
frontend public
bind *:5545 ssl crt /etc/pki/tls/private/device-nls-combined.pem
mode tcp
log global
option dontlognull
maxconn 8000
timeout client 30s
default_backend nagioslogserver
backend nagioslogserver
server localnagios localhost:6545 check
timeout connect 5s
timeout server 30s
timeout queue 30s
Re: Supported TLS ciphers
Posted: Mon Oct 02, 2017 9:02 am
by kyang
Glad you were able to solve this and post the answer! We will be closing this topic as resolved!
If you have more questions, feel free to create another thread!
Thank you for using the Nagios Support Forums!