![]() ![]() Filebeat reads the Wazuh server output data and. ![]() Here, you point to the public key portion of your client certificate. The Wazuh server uses Filebeat to send alert and event data to the Wazuh indexer, using TLS encryption. So what was added to Sidecar collector config was the following lines:Ībove path may differ, depending on Linux distro. Logs: /var/lib/graylog-sidecar/collectors/filebeat/log Ssl.key: /etc/graylog/sidecar/pki/private/.keyĭata: /var/lib/graylog-sidecar/collectors/filebeat/data Ssl.certificate: /etc/graylog/sidecar/pki/issued/.crt Ssl.certificate_authorities: /usr/local/share/ca-certificates//ca.crt If I change my sidecar collector config to this: # Needed for Graylogįllector_node_id: $ I have some idea that my problem might lie with the certificates and my lack of understanding of those… My issue here is that I simply cannot find anywhere in the Graylog GUI where I could enable TLS support and Insecure TLS connection on the Sidecar collector config! Is this an enterprise-only feature, or what am I missing here?Īt this point it’s tempting to just abandon this TLS security stuff, since I’ve spent far too much time on it already, but I feel like I’m quite close since I now have the web interface as well as the graylog-sidecar API using TLS encryption and thus only encrypting the actual log data being sent into Graylog from the client by graylog-sidecar is missing. Now in the Sidecar Beats Output Configuration you just mark Enable TLS Support and Insecure TLS connection So I can follow the above steps until this part: After this is saved, the communication between Beats and Graylog will use TLS. Without giving additional Information, Graylog will now create a self-signed certificate for this Input.Now in the Sidecar Beats Output Configuration you just mark Enable TLS Support and Insecure TLS connection. To secure the communication between the Collector and Graylog you just need to mark Enable TLS The Communication between Sidecar and Graylog will be secured if your API uses SSL. What has me a bit frustrated is reading this guidance from official Graylog docs on securing Sidecar/Beats communication: Here is my Beats input config (where I did also try and enter cert paths and password as mentioned above): Which sort of tell me that this is not the right direction…? ![]() T10:57:48.016 01:00 ERROR Error in Input (channel ) (cause io.: : error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE) I also tried providing my pkcs8-plain.pem cert instead of the encrypted one, but while that gives no errors in the sidecar.log client-side, it does produce these errors in the Graylog server log: So I guess the client would need to be told about the passphrase for that key file via the sidecar collector config, but I haven’t been able to find any info on how to do that Time="T10:52:39 01:00" level=error msg=" Collector output: Exiting: error initializing publisher: 1 error: tls: failed to parse private key\n" …while also omitting the ssl.certificate_authorities directive, but that only results in the client being unable to parse the pkcs8-encrypted.pem key (assumingly because it has not been told the passphrase for the key file) as can be seen when tailing the sidecar.log file on the client: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |