No SSL data sent (om_ssl) from Windows NXlog to Linux ELK

#1 squidie 9 years ago

Hello,

Having an issue with using om_ssl from a Windows NXlog client to a Linux ELK server.

The issue lies with the encryption part, the connection is established on the associated destination SSL port I set but no SSL traffic can be see/captured.

For information here is the logstash config and the NXlog config, I believe the issue lies with the certs.

input {
tcp {
    port => 5000
    type => syslog
}
udp {
    port => 5000
    type => syslog
}
tcp {
    port => 5001
    type => syslog
    ssl_cacert => "/etc/pki/tls/certs/rootCA.pem"
    ssl_cert => "/etc/pki/tls/certs/logstash.crt"
    ssl_key => "/etc/pki/tls/private/logstash.key"
    ssl_enable => true

nxlog.conf:
<Output syslogout>
#This is for TCP non-SSL traffic
Module om_tcp
Host 192.168.0.20
Port 5000
</Output>

<Output omsslout>
#This is for SSL traffic only, omit all "#"
Module          om_ssl
Host            192.168.0.20
Port            5001
CAFile          %CERTDIR%\rootCA.pem
OutputType LineBased
AllowUntrusted FALSE
</Output>

<Route 1>
Path eventlog => eventlog_transformer => omsslout
</Route>

Only included relative SSL parts as everything else works over TCP and UDP.

Many thanks

Permalink

#2 adm Nxlog ✓ 9 years ago

#1 squidie

Hello, Having an issue with using om_ssl from a Windows NXlog client to a Linux ELK server. The issue lies with the encryption part, the connection is established on the associated destination SSL port I set but no SSL traffic can be see/captured. For information here is the logstash config and the NXlog config, I believe the issue lies with the certs. input { tcp { port => 5000 type => syslog } udp { port => 5000 type => syslog } tcp { port => 5001 type => syslog ssl_cacert => "/etc/pki/tls/certs/rootCA.pem" ssl_cert => "/etc/pki/tls/certs/logstash.crt" ssl_key => "/etc/pki/tls/private/logstash.key" ssl_enable => true nxlog.conf: <Output syslogout> #This is for TCP non-SSL traffic Module om_tcp Host 192.168.0.20 Port 5000 </Output> <Output omsslout> #This is for SSL traffic only, omit all "#" Module om_ssl Host 192.168.0.20 Port 5001 CAFile %CERTDIR%\rootCA.pem OutputType LineBased AllowUntrusted FALSE </Output> <Route 1> Path eventlog => eventlog_transformer => omsslout </Route> Only included relative SSL parts as everything else works over TCP and UDP. Many thanks

Are you sure it's not due to SSLv3 having been recently disabled in java? If it is, that should be visible in the logs (nxlog.log). SSLv3 can be reenabled in java.secuity, otherwise the EE already has TLS support and the next version of NXLog CE will also have this.