1
answer

Hello,

Because of my lack of encryption knowledge, I search and found these instructions that I followed in order to create an SSL connection between an nxlog client (Windows server 2008 R2) and a graylog server.

So I transfered the "nxlog-ca.crt" to the client and indicated to the graylog server "nxlog-ca.key" as the TLS private key file and "nxlog-ca.crt" as the TLS cert file.

Here is the nxlog.conf :
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_msvistalog
        Query    <QueryList>\
            <Query Id="0">\
                <Select Path="Application">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
                <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
                <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
                <Select Path="HardwareEvents">*[System[(Level=1  or Level=2 or Level=3)]]</Select>\
            </Query>\
        </QueryList>
</Input>

<Output sslout>
   Module          om_ssl
   Host            host_ip_address
   Port            12201
   CAFile          %CERTDIR%\nxlog-ca.crt
   OutputType      GELF_TCP
   AllowUntrusted  FALSE
</Output>

<Route 1>
    Path        in => sslout
</Route>

 

But when I launch "nxlog.exe -f" here is the error :

nxlog.exe -f

2015-08-04 12:23:05 INFO nxlog-ce-2.9.1347 started

2015-08-04 12:23:05 INFO connecting to host_ip_address:12201

2015-08-04 12:23:05 INFO successfully connect to host_ip_address:12201

2015-08-04 12:23:05 INFO remote socket was closed during SSL handshake
2015-08-04 12:23:05 INFO reconnecting in 1 seconds

 

And That's it. What am I missing ?

I read in the documentation that all the files about the certificates are in "pem" format but when I create it from certtool I have "crt" and "key" format files.

 

Thank you.

 

AskedAugust 4, 2015 - 12:48pm

Comments (3)

  • fata's picture

    I tried something else today and nxlogclient send me : 2015-08-04 16:55:05 ERROR SSL certificate verification failed: self signed certificate (err: 18).

    Please help.. :s

    August 4, 2015 - 5:01pm
  • adm's picture
    (NXLog)

    From the documentation:

    AllowUntrusted
    This takes a boolean value of TRUE or FALSE and specifies whether the remote connection should be allowed without certificate verification. If set to TRUE the remote will be able to connect with unknown and self-signed certificates.

    August 4, 2015 - 5:05pm
  • fata's picture

    Ok I set it to true and it's working now!! I was pretty sure that I read the documentation about this parameter. From now on, I will be more conscientious.

    Thank you guys for your quick answers!

    August 5, 2015 - 10:11am

Answer (1)

2015-08-04 12:23:05 INFO remote socket was closed during SSL handshake

You should check why the remote end is closing the connection, probably you can find the details in graylog logs.

AnsweredAugust 4, 2015 - 5:16pm