1
answer

On a Window 2012 server I'm collecting system events and then sending them to a remote server using OutputType GELF. This works fine on my serverrs behind a firewall however I have a AWS server that I would like to log and send logs over a TLS connection.

Here's what my working Output looks like:

<Output out>
    Module      om_udp
    Host        XXX.XXX.XXX.XXX
    Port        12201
    OutputType  GELF
</Output>

<Route 1>
    Path      insql, in => out
</Route>

I have tested configs like below without success, the SSL connection is made but no logs are sent and the machine just repeats connections over and over to my graylog server.

<Output out>
    Module      om_ssl
    Host        XXX.XXX.XXX.XXX
    Port        12201
    CAFile     %ROOT%\cert\ca.pem
    CertFile    %ROOT%\cert\client-cert.pem
    CertKeyFile    %ROOT%\cert\client-key.pem
    OutputType  GELF
</Output>

<Route 1>
    Path      insql, in => out
</Route>

Any ideas on how to proxy a "OutputType GELF" within a TLS/SSL connection?

Thanks,

Chipmunk

 

AskedSeptember 28, 2015 - 9:15pm

Answer (1)

For tcp/ssl transport you need to use OutputType GELF_TCP.

AnsweredSeptember 28, 2015 - 9:19pm

Comments (2)

  • chipmunk's picture

    Thank you for your support, I've tried what you recommened as seen below with the same result. 
    <Output out>
        Module      om_ssl
        Host        66.219.28.153
        Port        12201
        CAFile     %ROOT%\cert\ca.pem
        CertFile    %ROOT%\cert\sql1-cert.pem
        CertKeyFile    %ROOT%\cert\sql1-key.pem
        AllowUntrusted FALSE <-- i've tried "TRUE" as well without any change
        OutputType  GELF_TCP
    </Output>

    Here's what my logs look like when I restart, after the restart the "reconnecting" repeats continuously.

    I'm running nxlog-ce-2.9.1347

    2015-09-28 17:52:00 WARNING stopping nxlog service
    2015-09-28 17:52:00 WARNING nxlog-ce received a termination request signal, exiting...
    2015-09-28 17:52:06 INFO connecting to xxx.xxx.xxx.xxx:12201
    2015-09-28 17:52:06 INFO nxlog-ce-2.9.1347 started
    2015-09-28 17:52:06 INFO successfully connected to xxx.xxx.xxx.xxx:12201
    2015-09-28 17:52:06 INFO remote socket was closed during SSL handshake
    2015-09-28 17:52:06 INFO reconnecting in 1 seconds
    2015-09-28 17:52:07 INFO connecting to xxx.xxx.xxx.xxx:12201
    2015-09-28 17:52:07 INFO successfully connected to xxx.xxx.xxx.xxx:12201
    2015-09-28 17:52:07 INFO reconnecting in 1 seconds

     

    September 29, 2015 - 12:47am
  • adm's picture
    (NXLog)

    The other end is closing the connection so you need to check (the graylog?) SSL connection settings and the logs there.

    September 29, 2015 - 7:13pm