Graylog 2.1でGraylog Collector Sidecarで転送するログの暗号化を行う

Graylog 2.1でGraylog Collector Sidecarで転送するログの暗号化を行う

Graylogで、転送するログの暗号化をしてパケットキャプチャをされても見れないようにする。
普通にただ設定すると、暗号化せずに転送されてしまうため、GELF形式で送ってもこんな感じで中身を見れてしまう。

blacknon@BS-PUB-GRAYLOG:~$ sudo tcpdump -i ens19 port 12201 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens19, link-type EN10MB (Ethernet), capture size 262144 bytes
20:46:04.490369 IP 172.XXX.XXX.120.38600 > 172.XXX.XXX.187.12201: Flags [P.], seq 3796279135:3796279539, ack 1914087123, win 229, options [nop,nop,TS val 211603720 ecr 104066410], length 404
 0x0000: 4500 01c8 ea5f 4000 4006 2d74 ac14 6478 E...._@.@.-t..dx
 0x0010: ac14 64bb 96c8 2fa9 e246 9f5f 7216 a6d3 ..d.../..F._r...
 0x0020: 8018 00e5 e70e 0000 0101 080a 0c9c d108 ................
 0x0030: 0633 ed6a 7b22 7665 7273 696f 6e22 3a22 .3.j{"version":"
 0x0040: 312e 3122 2c22 5f45 7665 6e74 5265 6365 1.1","_EventRece
 0x0050: 6976 6564 5469 6d65 223a 2232 3031 362d ivedTime":"2016-
 0x0060: 3039 2d32 3520 3230 3a34 363a 3034 222c 09-25.20:46:04",
 0x0070: 225f 536f 7572 6365 4d6f 6475 6c65 4e61 "_SourceModuleNa
 0x0080: 6d65 223a 2235 3765 3230 6134 3666 3131 me":"57e20a46f11
 0x0090: 3135 3332 3063 3166 3636 3732 3122 2c22 15320c1f66721","
 0x00a0: 5f53 6f75 7263 654d 6f64 756c 6554 7970 _SourceModuleTyp
 0x00b0: 6522 3a22 696d 5f66 696c 6522 2c22 5f46 e":"im_file","_F
 0x00c0: 696c 654e 616d 6522 3a22 2f76 6172 2f6c ileName":"/var/l
 0x00d0: 6f67 2f73 7973 6c6f 6722 2c22 5f67 6c32 og/syslog","_gl2
 0x00e0: 5f73 6f75 7263 655f 636f 6c6c 6563 746f _source_collecto
 0x00f0: 7222 3a22 3337 3033 3232 3634 2d31 3564 r":"37032264-15d
 0x0100: 392d 3432 3863 2d61 3931 642d 3563 3437 9-428c-a91d-5c47
 0x0110: 6532 3833 6432 6233 222c 2268 6f73 7422 e283d2b3","host"
 0x0120: 3a22 4253 2d50 5542 2d55 4255 4e54 552d :"BS-PUB-UBUNTU-</span>
 0x0130: 3031 2e42 4c41 434b 4e4f 4e2e 4c4f 4341 01.BLACKNON.LOCA</span>
 0x0140: 4c22 2c22 7368 6f72 745f 6d65 7373 6167 L</span>","short_messag
 0x0150: 6522 3a22 5365 7020 3235 2032 303a 3436 e":"Sep.25.20:46
 0x0160: 3a30 3020 4253 2d50 5542 2d55 4255 4e54 :00.BS-PUB-UBUNT
 0x0170: 552d 3031 2062 6c61 636b 6e6f 6e3a 206d U-01.blacknon:.m
 0x0180: 6573 7361 6765 2072 6570 6561 7465 6420 essage.repeated.
 0x0190: 3220 7469 6d65 733a 205b 2074 6573 7431 2.times:.[.test1</span>
 0x01a0: 3233 345d 222c 2274 696d 6573 7461 6d70 234</span>]","timestamp
 0x01b0: 223a 3134 3734 3830 3339 3634 2c22 6c65 ":1474803964,"le
 0x01c0: 7665 6c22 3a36 7d00 vel":6}.

これだとちょっとありがたくないので、ログを転送する際に暗号化してパケットキャプチャをされても見れないようにする。
なお、今回はサーバがUbuntu Server 16.04を用いたGraylogServer 2.1、クライアント側がGraylog Collector Sidecar + NXLogでログ転送(GELF形式)をしている環境においてのログ転送暗号化とする。
※Graylog Server 2.0系だとCollector SidecarのSSLが対応できてないので注意。

1.鍵ファイルの作成

まず、ログの通信を暗号化するための鍵ファイルを作成する。以下、rootユーザで処理を行う。
設置先は、「/opt/cert」というディレクトリにする。

mkdir -m 600 -p /opt/cert/
cd !$

鍵ファイルを作成するためにコマンドをインストールする。

sudo apt-get install gnutls-bin

鍵ファイルを作成する。

certtool --generate-privkey --outfile ca-key.pem --bits 2048
root@BS-PUB-GRAYLOG:/opt/cert# certtool --generate-privkey --outfile ca-key.pem --bits 2048
** Note: You may use '--sec-param Medium' instead of '--bits 2048'
Generating a 2048 bit RSA private key...

CA証明書を作成する。

certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
root@BS-PUB-GRAYLOG:/opt/cert# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: Graylog-GELF</span>
UID:
Organizational unit name:
Organization name:
Locality name: Tokyo</span>
State or province name: Tachikawa</span>
Country name (2 chars): JP</span>
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6334261173835579667):

Activation/Expiration time.
The certificate will expire in (days): 3650</span>

Extensions.
Does the certificate belong to an authority? (y/N): y</span>
Path length constraint (decimal, -1 for no constraint):
Is this a TLS web client certificate? (y/N): N</span>
Will the certificate be used for IPsec IKE operations? (y/N): N</span>
Is this a TLS web server certificate? (y/N): N</span>
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y</span>
Will the certificate be used to sign CRLs? (y/N): N</span>
Will the certificate be used to sign code? (y/N): N</span>
Will the certificate be used to sign OCSP requests? (y/N): N</span>
Will the certificate be used for time stamping? (y/N): N</span>
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
        Version: 3

        ~省略~

Is the above information ok? (y/N): y</span>

Signing certificate...

サーバ証明書を作成する。

certtool --generate-privkey --outfile key.pem --bits 2048
certtool --generate-request --load-privkey key.pem --outfile request.pem
certtool --generate-certificate --load-request request.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem --outfile cert.pem
root@BS-PUB-GRAYLOG:/opt/cert# certtool --generate-privkey --outfile key.pem --bits 2048
** Note: You may use '--sec-param Medium' instead of '--bits 2048'
Generating a 2048 bit RSA private key...
root@BS-PUB-GRAYLOG:/opt/cert# certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Common name: Graylog-GELF</span>
Organizational unit name:
Organization name:
Locality name: Tokyo</span>
State or province name: Tachikawa</span>
Country name (2 chars): JP</span>
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): N</span>
Will the certificate be used for signing (DHE ciphersuites)? (Y/n): N</span>
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): N</span>
Is this a TLS web client certificate? (y/N): y</span>
Is this a TLS web server certificate? (y/N): y</span>
Self signature: verified

root@BS-PUB-GRAYLOG:/opt/cert# certtool --generate-certificate --load-request request.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem --outfile cert.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 6334263909407233153):

Activation/Expiration time.
The certificate will expire in (days): 3650</span>

Expiration time: Wed Sep 23 22:39:09 2026
CA expiration time: Wed Sep 23 22:28:31 2026
Warning: The time set exceeds the CA's expiration time
Is it ok to proceed? (y/N): y</span>

Extensions.
Do you want to honour the extensions from the request? (y/N): N</span>
Does the certificate belong to an authority? (y/N): N</span>
Is this a TLS web client certificate? (y/N): y</span>
Will the certificate be used for IPsec IKE operations? (y/N): N</span>
Is this a TLS web server certificate? (y/N): y</span>
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE ciphersuites)? (Y/n): N</span>
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): N</span>
X.509 Certificate Information:
        Version: 3

        ~省略~

Is the above information ok? (y/N): y</span>

Signing certificate...

フォルダの所有者をgraylogに変更する。

chown graylog. -R /opt/cert

フォルダの所有者を変えたら、作成した鍵ファイルについてクライアント側に転送する。
具体的には、同じPATHに以下の3つのファイルを転送する。

  • /opt/cert/ca.pem
  • /opt/cert/cert.pem
  • /opt/cert/key.pem

2.Graylog Collector Sidecar側の設定変更

次に、Graylog Collector Sidecar(クライアント)側に対して暗号化を行うよう設定をする。
GraylogServerの管理画面にアクセスし、[System] > [Collector] > [Manage Configuration]を開き、編集対象のConfigurationを開く。

画面下のタブで[NXLog]を選択し、設定変更をするOutputのEditボタンをクリックする。

Typeを「[NXLog] GELF TCP/TLS output」に変更し、CAやCert、KeyファイルのPATHを指定する。
設定を確認して問題なければそのまま保存する。

  • CA File … /opt/cert/ca.pem
  • Cert File ... /ope/cert/cert.pem
  • Key File ... /opt/cert/key.pem

これで、Collector側の設定は完了。

3.GraylogのInput側で設定を変更する

最後に、GraylogのInput側で設定の変更をする。
[System] > [Input]から対象のInputを編集する。

  • TLS cert file ... /opt/cert/cert.pem
  • TLS private key file ... /opt/cert/key.pem
  • Enable TLS ... チェック
  • TLS Client Auth Trusted Certs ... /opt/cert/ca.pem
  • TLS client authentication ... disabled

これで、転送されるログの暗号化ができた。

blacknon@BS-PUB-GRAYLOG:~$ sudo tcpdump -i ens19 port 12201 -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens19, link-type EN10MB (Ethernet), capture size 262144 bytes
00:18:21.935069 IP 172.XXX.XXX.120.47086 > 172.XXX.XXX.187.12201: Flags [P.], seq 2416711232:2416711637, ack 2081285395, win 240, options [nop,nop,TS val 214788092 ecr 107249662], length 405
        0x0000:  4500 01c9 2b3d 4000 4006 ec95 ac14 6478  E...+=@.@.....dx
        0x0010:  ac14 64bb b7ee 2fa9 900c 1640 7c0d e513  ..d.../....@|...
        0x0020:  8018 00f0 19af 0000 0101 080a 0ccd 67fc  ..............g.
        0x0030:  0664 7ffe 1703 0301 905d 391b a608 4b15  .d.......]9...K.
        0x0040:  574a f85e d275 422d bf96 a73a b73d 841b  WJ.^.uB-...:.=..
        0x0050:  a825 5dcb e563 d945 eae1 971e c64c d612  .%]..c.E.....L..
        0x0060:  aee3 b915 d1f5 4573 1ebf f6c5 8264 b439  ......Es.....d.9
        0x0070:  713e 39ec 29ae 1a6b feee 4e98 672c 086e  q>9.)..k..N.g,.n
        0x0080:  38ba 411a 2fea 5566 9013 6d35 8ce9 3d59  8.A./.Uf..m5..=Y
        0x0090:  375f 1bbd e05a f9cf 8e40 4849 fd15 2dec  7_...Z...@HI..-.
        0x00a0:  c804 f4c8 45a7 8e0b faa4 9391 6a96 8b8a  ....E.......j...
        0x00b0:  b6a6 b5f2 de59 21e8 06ab c87b 0b1c 75cc  .....Y!....{..u.
        0x00c0:  b2cf 0503 e909 4a98 bcc0 2452 1902 f823  ......J...$R...#
        0x00d0:  f111 693d 5701 a335 14f3 fc15 6873 0481  ..i=W..5....hs..
        0x00e0:  6544 9024 894c 5d54 9ea2 59e0 3407 89a1  eD.$.L]T..Y.4...
        0x00f0:  5d6e c609 d4e6 6023 8d40 b685 44d9 6bfa  ]n....`#.@..D.k.
        0x0100:  73a2 5a7a d03f 19a5 ef08 7eba c191 95ef  s.Zz.?....~.....
        0x0110:  2850 0f2a 6f7b bec9 e4df 7cf5 9313 2ba4  (P.*o{....|...+.
        0x0120:  6153 707d 5d65 bc48 bb3b aa3c 9e9d 2126  aSp}]e.H.;.<..!& 0x0130: 36ae 69c2 6585 5899 6ef7 d68a 6e33 ff8a 6.i.e.X.n...n3.. 0x0140: 8e92 32ee fe99 bc2f 2f31 d5da 7390 7de5 ..2....//1..s.}. 0x0150: d44c 5037 574a 6185 47aa 7148 838f 6b71 .LP7WJa.G.qH..kq 0x0160: 9713 868a 38b1 9bba 84bd 25cd 4e50 5850 ....8.....%.NPXP 0x0170: f2fc 44b5 1689 e8f0 3d98 c35e 5f78 e453 ..D.....=..^_x.S 0x0180: 94e5 4c43 5f73 929a e984 19e8 d01b f28a ..LC_s.......... 0x0190: 08cf c49f 9023 d8cb 0edc e502 f581 ec11 .....#.......... 0x01a0: 0593 f280 f664 8dce fc75 d59a 6397 0633 .....d...u..c..3 0x01b0: ff79 fd97 acd1 e00e 3509 9fbe 2db2 b1ea .y......5...-... 0x01c0: 7dcb 6311 c8b2 e7b3 b8 }.c...... 00:18:21.935095 IP 172.XXX.XXX.187.12201 > 172.XXX.XXX.120.47086: Flags [.], ack 405, win 49380, options [nop,nop,TS val 107252162 ecr 214788092], length 0
        0x0000:  4500 0034 b0cb 4000 4006 689c ac14 64bb  E..4..@.@.h...d.
        0x0010:  ac14 6478 2fa9 b7ee 7c0d e513 900c 17d5  ..dx/...|.......
        0x0020:  8010 c0e4 2183 0000 0101 080a 0664 89c2  ....!........d..
        0x0030:  0ccd 67fc                                ..g.

Graylogの画面上でも対象のログは確認できた。