Page 1 of 1
Help needed with syslog SSL input
Posted: Mon Jul 01, 2019 9:55 am
by Bitflogger
Hello, I'm running v2.0.8 NLS on a 64-bit VM CentOS 7 server.
I have set up SSL/TLS input for a Windows server, it works fine.
I have set up SSL/TLS input from a Linux server.
On the NLS server, using the recommended tcpdump command, I see what looks like encrypted data coming in from the host.
When I look at the events for the host, there are no new events.
On the NLS server, after moving certificate and key files to /etc/pki/tls/[certs,private], does any task need to be restarted?
Earl
Re: Help needed with syslog SSL input
Posted: Mon Jul 01, 2019 4:36 pm
by cdienger
It sounds like you followed the steps in
https://assets.nagios.com/downloads/nag ... th-SSL.pdf, correct?
Restarting the service shouldn't be necessary but try this:
Code: Select all
tail -f /var/log/logstash/logstash.log
and while that is running, restart the service:
and see if any errors are getting logged when the restart happens or as logs come in.
Re: Help needed with syslog SSL input
Posted: Mon Jul 01, 2019 4:57 pm
by Bitflogger
Hello,
Yes, that is the document I used.
The firewalls were set up by my tech staff, I have no reason to suspect any problem there.
logstash.log was empty until I did the restart, then 3 lines came in from the restart.
I see data come in from the Linux client. I'm sure I have the port right on both sides.
I am not seeing any events in the query, after about 9:40 AM when I made the change. I went through the steps to configure it twice.
I see no more entries in logstash.log.
Earl
Re: Help needed with syslog SSL input
Posted: Tue Jul 02, 2019 12:52 pm
by cdienger
Please provide the tcpdump if possible. You can PM me it to me if there is any sensitive info.
We can enable debug logging for logstash by editing /etc/init.d/logstash and changing line 64 from:
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"
to:
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"
Then restart it with:
systemctl daemon-reload
service logstash restart
Let it run long enough to capture data from the sending device and then disable debug logging and PM me the logstash.log as well as the sending device's IP address.
Re: Help needed with syslog SSL input
Posted: Mon Jul 08, 2019 4:56 pm
by cdienger
Is the input listen on port 7778 like the document suggests? The tcpdump provided doesn't show anything on this port. A better command to see if it is coming in on this port would be:
Code: Select all
tcpdump -i eth0 -nnvXSs 0 host 10.25.13.37 and port 7778
Re: Help needed with syslog SSL input
Posted: Thu Jul 11, 2019 9:03 am
by Bitflogger
Hello,
I still have files backing up on the source CentOS 7 server, in /var/lib/rsyslog, which should be going to my NLS server.
I tried the signing step again, sending the syslog-ca.pem file over and restarting rsyslog.
I know this works when I set it up for non-secure transmission.
I can access the 7778 port on the NLS server using TCP from the client server.
What can I check to resolve this?
Earl
Re: Help needed with syslog SSL input
Posted: Thu Jul 11, 2019 10:09 am
by Bitflogger
Hello,
Installing rsyslog-gnutls on the client server corrected the problem.
Thanks for your time!
Please lock the case.
Earl
Re: Help needed with syslog SSL input
Posted: Thu Jul 11, 2019 12:02 pm
by scottwilkerson
Bitflogger wrote:Hello,
Installing rsyslog-gnutls on the client server corrected the problem.
Thanks for your time!
Please lock the case.
Earl
Great!
Locking