2

我一直在寻找从 Windows 发送日志的选项,我已经设置了 logstash,我目前使用 logstash-forwarder 和 ssl 加密将日志从 Linux (CentOS) 服务器发送到我的 ELK 堆栈。

出于合规性原因,加密在这种环境中非常重要。

我也希望在 Windows 中使用 logstash-forwarder,但是在使用 Go 编译后,我遇到了传送事件日志的问题,我发现有些人说由于文件锁定问题,这是不可能的,而 logstash-forwarder人们似乎正在努力,但我真的等不及了。

无论如何,最终我发现 nxlog 似乎能够使用 ssl 以加密格式发送日志,我发现了一些 关于类似主题的帖子 ,虽然我已经学到了很多关于如何发送日志以及如何发送日志的知识要设置 nxlog,我仍然不知道如何设置 logstash 来接受日志,以便处理它们。

我在#nxlog 和#logstash irc 频道中询问过,并在#nxlog 中得到了一些确认,认为这是可能的,没有关于如何配置的更多信息。

无论如何,我已经获取了为我的 logstash-forwarder 使用而创建的 crt 文件(如果需要,我会创建一个新文件,如果我很高兴这将工作)并使用 pem 扩展名重命名它,我相信它应该可以正常工作ASCII 格式可读。我已经为 %CERTDIR% 创建了环境变量并将我的文件放在那里,我已经从我读过的其他文章中为 nxlog 编写了以下配置文件,我认为这是正确的,但我不是 100% 确定:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

# Enable json extension
<Extension json>
    Module xm_json
</Extension>

# Nxlog internal logs
<Input internal>
    Module im_internal
    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

# Windows Event Log
<Input eventlog>
  # Uncomment im_msvistalog for Windows Vista/2008 and later
    Module im_msvistalog
  # Uncomment im_mseventlog for Windows XP/2000/2003
  # Module im_mseventlog
    Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();
</Input>

<Output sslout>
    Module          om_ssl
    Host            lumberjack.domain.com
    Port            5000
    CertFile        %CERTDIR%/logstash-forwarder.crt
    AllowUntrusted  TRUE
    OutputType      Binary
</Output>

<Route 1>
    Path     eventlog, internal => sslout
</Route>

我想知道在 logstash 中使用什么输入格式我已经尝试使用以下配置将日志发送到伐木工人输入类型(使用与我的 logstash-forwarders 使用相同的配置):

input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

但是当服务启动时,我在 nxlog 日志文件中得到以下信息:

2014-11-06 21:16:20 INFO connecting to lumberjack.domain.com:5000
2014-11-06 21:16:20 INFO nxlog-ce-2.8.1248 started
2014-11-06 21:16:21 INFO successfully connected to lumberjack.domain.com:5000
2014-11-06 21:16:22 INFO remote closed SSL socket
2014-11-06 21:16:22 INFO reconnecting in 1 seconds
2014-11-06 21:16:23 INFO connecting to lumberjack.domain.com:5000
2014-11-06 21:16:24 INFO reconnecting in 2 seconds
2014-11-06 21:16:24 ERROR couldn't connect to ssl socket on lumberjack.antmarketing.com:5000; No connection could be made because the target machine actively refused it.

当我将日志记录设置为 DEBUG 时,我看到大量日志飞过,但我认为关键部分是:

2014-11-06 21:20:18 ERROR Exception was caused by "rv" at om_ssl.c:532/io_err_handler(); [om_ssl.c:532/io_err_handler()] -; [om_ssl.c:501/om_ssl_connect()] couldn't connect to ssl socket on lumberjack.domain.com:5000; No connection could be made because the target machine actively refused it.

我认为这表明我在 logstash 上使用了错误的输入法,但我想这也可能是我的 ssl 证书或其配置方式的问题。在我从 Windows 机器建立连接时,我似乎没有在正在生成的 logstash 服务器上获得任何日志。

4

2 回答 2

2

Thanks to b0ti for the help, there were a number of issues, my logstash config was crashing the service, but I also had issues with my nxlog setup as well as my ssl certs being set up in the correct way.

I found this post about creating ssl certs, which covers the way they are set up really nicely for self signed certs for use as a web service.

The main thing wrong with nxlog was as b0ti pointed out I was trying to ship in binary when that will only work when shipping to nxlog server. I also noticed in the docs that the default for AllowUntrusted is false, so I just had to delete it once I was happy ssl was working.

<Output sslout>
    Module          om_ssl
    Host            lumberjack.domain.com
    Port            5001
    CAFile          %CERTDIR%\nxlog-ca.crt
    OutputType      LineBased
</Output>

Creating the CA key, and secure it as this needs to be kept secret (cd to /etc/pki/tls):

certtool --generate-privkey --bits 2048 --outfile private/nxlog-ca.key
chown logstash:logstash private/nxlog-ca.key
chmod 600 private/nxlog-ca.key

And then Self Signed CA Cert, which will need to be transferred to your clients:

certtool --generate-self-signed --load-privkey private/nxlog-ca.key --bits 2048 --template nxlog-ca-rules.cnf --outfile certs/nxlog-ca.crt

The cnf file is standard only with this option modified:

# Whether this is a CA certificate or not
ca

The logstash input method:

input {
  tcp {
    port => 5001
    type => "nxlogs"
    ssl_cacert => "/etc/pki/tls/certs/nxlog-ca.crt"
    ssl_cert => "/etc/pki/tls/certs/nxlog.crt"
    ssl_key => "/etc/pki/tls/private/nxlog.key"
    ssl_enable => true
    format => 'json'
  }
}

Generate the private key:

certtool --generate-privkey --bits 2048 --outfile private/nxlog.key
chown logstash:logstash private private/nxlog.key
chmod 600 private/nxlog.key

Generate the CSR (Certificate Signing Request):

certtool --generate-request --bits 2048 --load-privkey private/nxlog.key --outfile private/nxlog.csr

Sign the Cert with the CA private key

certtool --generate-certificate --bits 2048 --load-request private/nxlog.csr --outfile certs/nxlog.crt --load-ca-certificate certs/nxlog-ca.crt --load-ca-privkey private/nxlog-ca.key --template nxlog-rules.cnf

Again the only important part over the standard inputs for the cnf file will be:

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
encryption_key

# Whether this certificate will be used for a TLS client
tls_www_client

I've tested this and it works well, I just need to get the filters set up now

于 2014-11-11T21:25:25.430 回答
1

二进制数据格式是特定于 nxlog 的,只有在发送到 nxlog 时才应使用它。

OutputType      Binary

如果这没有帮助,请检查 logstash 日志,因为它是关闭连接的远程端 (logstash)。

于 2014-11-07T09:23:50.063 回答