通过 tls 将日志从 rsyslog 转发到 graylog

通过 tls 将日志从 rsyslog 转发到 graylog

我正在尝试通过 tls 将日志从 rsyslog 转发到 graylog。

rsyslog配置:

# make gtls driver the default
$DefaultNetstreamDriver gtls
#
# # certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/rsyslog-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/rsyslog-key.pem
#
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer graylog.mydomain.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
*.* @@graylog.mydomain.com:6514 # forward everything to remote server

我按照 rsyslog 文档中所述生成了必要的证书:

certtool --pkcs8 --generate-privkey --outfile ca-key.pem
certtool --pkcs8 --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem

certtool --pkcs8 --generate-privkey --outfile graylog.key.pem 
certtool --pkcs8 --generate-request --load-privkey graylog.key.pem --outfile graylog.request.pem
certtool --pkcs8 --generate-certificate --load-request graylog.request.pem --outfile graylog.cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

certtool --pkcs8 --generate-privkey --outfile rsyslog.key.pem 
certtool --pkcs8 --generate-request --load-privkey rsyslog.key.pem --outfile rsyslog.request.pem
certtool --pkcs8 --generate-certificate --load-request rsyslog.request.pem --outfile rsyslog.cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

Graylog 配置

所有证书文件都在 /etc/ssl/graylog/input-ca/ 中

graylog输入配置如下:

TLS cert file: /etc/ssl/graylog/input-ca/graylog-cert.pem
TLS private key file: /etc/ssl/graylog/input-ca/graylog-key.pem
TLS Client Auth Trusted Certs: /etc/ssl/graylog/input-ca

但是当 rsyslog 将日志消息推送到 garylog 时我收到此错误:

2016-10-06T13:19:27.734+02:00 WARN  [AbstractNioSelector] Failed to initialize an accepted socket.
java.security.cert.CertificateParsingException: signed fields invalid
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791) ~[?:1.8.0_91]
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:1.8.0_91]
    at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:469) ~[?:1.8.0_91]
    at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:354) ~[?:1.8.0_91]
    at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_91]
    at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:90) ~[graylog.jar:?]
    at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:100) ~[graylog.jar:?]
    at org.graylog2.plugin.inputs.transports.util.KeyUtil.initTrustStore(KeyUtil.java:73) ~[graylog.jar:?]
    at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:199) ~[graylog.jar:?]
    at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?]
    at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?]
    at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?]
    at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?]
    at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?]
    at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
    at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?]
    at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
    at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_91]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_91]
    at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]

知道可能是什么问题吗?

答案1

确保您的 Graylog 进程可以读取证书文件和密钥。(它通常以“graylog”用户身份运行,而不是 root 用户。)“无法初始化接受的套接字”正是 Graylog 无法读取这些文件时出现的错误。

通常,您希望密钥、证书和其他文件位于/etc/graylog(我使用/etc/graylog/keys) 下并由用户拥有graylog。确保密钥对组或其他人不可读。

答案2

您必须使用 keytool 将证书导入 java 密钥库。

keytool -import -alias mygraylogcertificate -file mygraylogcertificate.cer -keystore examplekeystore

密钥库位置根据安装而不同。

答案3

我们最终解决了这个问题,方法是让客户端通过 TLS 将 rsyslog 日志推送到收集服务器上的 rsyslog,然后让收集服务器上的 rsyslog 将这些日志转发到 graylog2。

示意图: 开发机器 1 -> rsyslog -> TLS -> 收集服务器:rsyslog -> graylog2

相关内容