![]() When using Beats configure a logstash output. ![]() Write that path in the beats input configuration TLS Client Auth Trusted Certs and select required for the option TLS client authentication.Īfter this setting is saved only clients that provide a certificate that is trusted by the CA and is placed inside the configured directory ( /etc/graylog/server/trusted_clients) can deliver messages to Graylog. This directory must be available on all Graylog server that have the input enabled. Add Client Authentication to Beats InputĬreate one directory ( /etc/graylog/server/trusted_clients) that will hold all client certificates you allow to connect to the beats input. The ingesting client will verify the presented certificate against his know CA certificates, if that is successful communication will be established using TLS. Just reference the files TLS cert file and TLS private key file in the Beats Input configuration and restart the input. It can be the same or a different certificate as the one of your REST/web interface, as long as it matches all hostnames of your input. To enable TLS on the input, a certificate (and private key file) is needed. No automatic redirect from http to https is made. When using the Sidecar, use the https URI in the sidecar.ymlĪfter restart of Graylog the web interface and the API is served via https only. You might need to cover other settings in a multinode cluster or special setups - just read the comments of the settings inside of the nf. In addition change `http_enable_tls` to true. Place the `.key`and `.crt` file on your Graylog server in the configuration dir (/etc/graylog/server/) and add them to the Graylog nf. The shadowCA uses the same settings that can be found in the SSL documentation, but easy up the process. The most common error is that the certificate name does not match the hostname that is used for the connection. See README of shadowCA for the possible options. Create CertificatesĬreate certificates for each server, all hostnames and IPs that might be used later to connect from and to this server should be included in the certificates. Modify the JVM Setting to include =/etc/graylog/server/cacerts.jksin the GRAYLOG_JAVA_OPTS. Keytool -importcert -alias shadowCA -keystore /etc/graylog/server/cacerts.jks -storepass changeit -file r Custom JVM Keystore for Graylog # will only work if the default password & user is not changed. & cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/graylog/server/cacerts.jks ![]() & cp /usr/lib/jvm/jre/lib/security/cacerts /etc/graylog/server/cacerts.jks # copy cacert into Graylog Folder (ubuntu / debian and CENTOS openJDK ) The prime advantage is that it only needs the CA certificate and not all known self-signed certificates in the setup.: Graylog needs to know the CA that is used to verify the certificates. der file is imported to a JVM Keystore that is used by Graylog. Depending on your Browser you might need to import the. The CA certificate needs to be imported on all machines that are part of the setup using the documented steps. If in doubt check the shadowCA scripts what kind of certificate is created and used. The examples will take the given names from our shadowCA and reference to that only, please adjust this to your local needs. That is needed to create all certificates. SSL/TLS PreworkĬreate a CA with our shadowCA or use your already given CA. It should give the missing connection between the different parts of the documentation. ![]() This is a structured document that contains only information already given at various location in this documentation. This way only trusted sources are able to deliver messages into Graylog. The goal of this guide is to have a secured Graylog interface, API and secure communication for Beats that are authenticated by certificate.
0 Comments
Leave a Reply. |