服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 通过tls将日志从rsyslog转发到graylog
Intereting Posts
BTRFS设备在机箱体积上的快照 htaccessredirect到另一个域仍然影响原来的网站的带宽? FreeBSD:用户名超过16个字符 临时查找失败 – Postfix / Dovecot 如何pipe所有日志文件条目到Linux上的数据库? 在公共文件夹内移动电子邮件而不复制 Shorewall多个传出的IP分配 MySQL – 服务器退出而不更新PID文件 工作包含共享组文件夹的文件夹 如何创build一个大样本数据库? 是否有标准的pipe理型交换机configuration协议? 如何让Apache在RHEL6中使用MOD_WSGI或MOD_PYTHON运行python脚本? 你如何处理来自多个来源的防火墙规则,每个都需要打开几十个端口? 我如何检测哪个版本的32位或64位Java安装在Centos中? 使用Clonezilla在IBM x3650M2服务器上克隆CentOS VM

通过tls将日志从rsyslog转发到graylog

我试图通过tls从rsyslog转发日志到graylog。

rsyslogconfiguration: 

# make gtls driver the default $DefaultNetstreamDriver gtls # # # certificate files $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/ca.pem $DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/rsyslog-cert.pem $DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/rsyslog-key.pem # $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer graylog.mydomain.com $ActionSendStreamDriverMode 1 # run driver in TLS-only mode *.* @@graylog.mydomain.com:6514 # forward everything to remote server

我生成了必要的证书,如rsyslog文档中所述: 

 certtool --pkcs8 --generate-privkey --outfile ca-key.pem certtool --pkcs8 --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem certtool --pkcs8 --generate-privkey --outfile graylog.key.pem certtool --pkcs8 --generate-request --load-privkey graylog.key.pem --outfile graylog.request.pem certtool --pkcs8 --generate-certificate --load-request graylog.request.pem --outfile graylog.cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem certtool --pkcs8 --generate-privkey --outfile rsyslog.key.pem certtool --pkcs8 --generate-request --load-privkey rsyslog.key.pem --outfile rsyslog.request.pem certtool --pkcs8 --generate-certificate --load-request rsyslog.request.pem --outfile rsyslog.cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

Graylogconfiguration

所有的certifcate文件都在/ etc / ssl / graylog / input-ca /

这个grayloginput是这样configuration的: 

 TLS cert file: /etc/ssl/graylog/input-ca/graylog-cert.pem TLS private key file: /etc/ssl/graylog/input-ca/graylog-key.pem TLS Client Auth Trusted Certs: /etc/ssl/graylog/input-ca

但是,当rsyslog推送日志消息garylog我得到这个错误: 

 2016-10-06T13:19:27.734+02:00 WARN [AbstractNioSelector] Failed to initialize an accepted socket. java.security.cert.CertificateParsingException: signed fields invalid at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1791) ~[?:1.8.0_91] at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) ~[?:1.8.0_91] at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:469) ~[?:1.8.0_91] at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:354) ~[?:1.8.0_91] at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_91] at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:90) ~[graylog.jar:?] at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:100) ~[graylog.jar:?] at org.graylog2.plugin.inputs.transports.util.KeyUtil.initTrustStore(KeyUtil.java:73) ~[graylog.jar:?] at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:199) ~[graylog.jar:?] at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?] at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?] at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?] at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?] at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?] at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?] at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?] at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?] at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_91] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_91]

任何想法可能是什么问题?

您必须使用keytool将证书导入到java密钥库中。 

 keytool -import -alias mygraylogcertificate -file mygraylogcertificate.cer -keystore examplekeystore

密钥库位置根据安装而不同。

确保您的Graylog进程可以读取证书文件和密钥。 (通常以“graylog”用户身份运行,而不是root用户)。“无法初始化已接受的套接字”正是出现的错误,Graylog无法读取这些文件。

您通常希望您的密钥,证书和其他文件在/etc/graylog (我使用/etc/graylog/keys )下,并由graylog用户拥有。 确保密钥对群组或其他群组不可读。

我们最终解决了这个问题,让客户端将采用rsyslog的日志推送到收集服务器上的rsyslog,然后让收集服务器上的rsyslog将这些日志转发给graylog2。

示意图: Dev-machine 1 – > rsyslog – > TLS – > collect-server:rsyslog – > graylog2