6
responses

Hello,

Having an issue with using om_ssl from a Windows NXlog client to a Linux ELK server.

The issue lies with the encryption part, the connection is established on the associated destination SSL port I set but no SSL traffic can be see/captured.

For information here is the logstash config and the NXlog config, I believe the issue lies with the certs.

input {
  tcp {
    port => 5000
    type => syslog
  }
  udp {
    port => 5000
    type => syslog
  }
  tcp {
    port => 5001
    type => syslog
    ssl_cacert => "/etc/pki/tls/certs/rootCA.pem"
    ssl_cert => "/etc/pki/tls/certs/logstash.crt"
    ssl_key => "/etc/pki/tls/private/logstash.key"
    ssl_enable => true

nxlog.conf:
<Output syslogout>
#This is for TCP non-SSL traffic
  Module om_tcp
  Host 192.168.0.20
  Port 5000
</Output>

<Output omsslout>
#This is for SSL traffic only, omit all "#"
  Module          om_ssl
  Host            192.168.0.20
  Port            5001
  CAFile          %CERTDIR%\rootCA.pem
  OutputType LineBased
  AllowUntrusted FALSE
</Output>

<Route 1>
  Path eventlog => eventlog_transformer => omsslout
</Route>

Only included relative SSL parts as everything else works over TCP and UDP.

Many thanks

AskedFebruary 19, 2015 - 10:46pm

Comments (6)

  • adm's picture
    (NXLog)

    Are you sure it's not due to SSLv3 having been recently disabled in java? If it is, that should be visible in the logs (nxlog.log). SSLv3 can be reenabled in java.secuity, otherwise the EE already has TLS support and the next version of NXLog CE will also have this.

     

  • rdem's picture

    I'm using the last version (2.9.1347), but suffer from SSL errors:

    2015-06-16 13:31:24 INFO connecting to 192.168.2.30:5001
    2015-06-16 13:31:24 INFO successfully connected to 192.168.2.30:5001
    2015-06-16 13:31:24 INFO reconnecting in 1 seconds

    Relevant part of the config:

     

    <Output sslout>
        Module          om_ssl
        Host            192.168.2.30
        Port            5001
        CAFile          %ROOT%\conf\star_site_eu.crt
    </Output>

     

    And relevant part of Logstash config:

    input {
      tcp {
        codec => json_lines { charset => CP1252 }
        port => "5001"
        ssl_cert => "/etc/pki/tls/signed/public/logstash-forwarder.crt"
        ssl_key => "/etc/pki/tls/signed/private/logstash-forwarder.key"
        ssl_enable => true
        tags => [ "tcpjson" ]
      }
    }

  • adm's picture
    (NXLog)

    You will need to debug why the other end (i.e. logstash) closes the connection. Look at the logstash logs or check the ssl handshake with wireshark.

Answers (0)