centos:web_c7:graylog2

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
centos:web_c7:graylog2 [17.02.2017 12:12. ] – [graylog v2 - WEB-GUI] djangocentos:web_c7:graylog2 [22.07.2019 14:42. ] (aktuell) django
Zeile 64: Zeile 64:
   sub  2048R/60D31954 2013-09-16   sub  2048R/60D31954 2013-09-16
  
-Diesen **Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4** vergleichen wir nun mit den Angaben auf der [[https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html|elasticsearch Dokumentationsseite]]. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nicht'mehr entgegen.+Diesen **Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4** vergleichen wir nun mit den Angaben auf der [[https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html|elasticsearch Dokumentationsseite]]. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nichts mehr entgegen.
    # rpm --import /etc/pki/rpm-gpg/GPG-KEY-elasticsearch    # rpm --import /etc/pki/rpm-gpg/GPG-KEY-elasticsearch
  
Zeile 70: Zeile 70:
 Graylog selbst werden wir später aus dem Repository von **graylog** installieren. So bleibt zum einen der Konfigurationsaufwand überschaubar und wir werden mit Updates versorgt, wenn Änderungen und/oder Erweiterungen am Programmcode von graylog notwendig werden. Graylog selbst werden wir später aus dem Repository von **graylog** installieren. So bleibt zum einen der Konfigurationsaufwand überschaubar und wir werden mit Updates versorgt, wenn Änderungen und/oder Erweiterungen am Programmcode von graylog notwendig werden.
 Die Integration des benötigten Repositories erfolgt direkt mit nachfolgendem Befehl: Die Integration des benötigten Repositories erfolgt direkt mit nachfolgendem Befehl:
-   # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm+   # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm
  
-Anschließend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.+Anschliessend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.
    # vim /etc/yum.repos.d/graylog.repo    # vim /etc/yum.repos.d/graylog.repo
 <file bash /etc/yum.repos.d/graylog.repo>[graylog] <file bash /etc/yum.repos.d/graylog.repo>[graylog]
 name=graylog name=graylog
-baseurl=https://packages.graylog2.org/repo/el/stable/2.2/$basearch/+baseurl=https://packages.graylog2.org/repo/el/stable/2.3/$basearch/
 gpgcheck=1 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog
Zeile 249: Zeile 249:
 Im nächsten Schritt installieren wir nun noch elasticsearch als Suchmaschine/-server. Im nächsten Schritt installieren wir nun noch elasticsearch als Suchmaschine/-server.
    # yum install elasticsearch -y    # yum install elasticsearch -y
- 
-Bei der Installation des RPMs werden unter anderem folgende Informationen angegeben: 
-<code>... 
- 
-Running transaction check 
-Running transaction test 
-Transaction test succeeded 
-Running transaction 
-Creating elasticsearch group... OK 
-Creating elasticsearch user... OK 
-  Installing : elasticsearch-2.4.4-1.noarch                                                                                                                                 1/ 
-### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd 
- sudo systemctl daemon-reload 
- sudo systemctl enable elasticsearch.service 
-### You can start elasticsearch service by executing 
- sudo systemctl start elasticsearch.service 
-  Verifying  : elasticsearch-2.4.4-1.noarch                                                                                                                                 1/ 
- 
-Installed: 
-  elasticsearch.noarch 0:2.4.4-1                                                             
-</code> 
- 
-Bei dr späteren Konfiguration werden wir diese Schritte dann nachholen. 
  
 Wollen wir wissen, welche Dateien und Verzeichnisse das Paket auf unseren Server packte, benutzen wir folgenden Befehl. Wollen wir wissen, welche Dateien und Verzeichnisse das Paket auf unseren Server packte, benutzen wir folgenden Befehl.
Zeile 370: Zeile 347:
 /var/log/elasticsearch /var/log/elasticsearch
 /var/run/elasticsearch</code> /var/run/elasticsearch</code>
 +
 ==== graylog ==== ==== graylog ====
 Zu guter letzt installieren wir nun noch Pakete **graylog** sowie das Zusatzprogramm **pwgen** zum Generieren von Passwörtern, natürlich auch dieses mal mit Unterstützung von **YUM**. Zu guter letzt installieren wir nun noch Pakete **graylog** sowie das Zusatzprogramm **pwgen** zum Generieren von Passwörtern, natürlich auch dieses mal mit Unterstützung von **YUM**.
Zeile 378: Zeile 356:
    # rpm -qil graylog-server    # rpm -qil graylog-server
 <code>Name        : graylog-server <code>Name        : graylog-server
-Version     : 2.2.0 +Version     : 2.3.1 
-Release     : 11+Release     : 1
 Architecture: noarch Architecture: noarch
-Install Date: Wed 15 Feb 2017 04:21:21 PM CET+Install Date: Wed 27 Sep 2017 11:26:28 AM CEST
 Group       : optional Group       : optional
-Size        : 106769271+Size        : 110416070
 License     : GPLv3 License     : GPLv3
-Signature   : RSA/SHA1, Thu 09 Feb 2017 12:43:00 PM CET, Key ID d44c1d8db1606f22 +Signature   : RSA/SHA1, Fri 25 Aug 2017 03:57:24 PM CEST, Key ID d44c1d8db1606f22 
-Source RPM  : graylog-server-2.2.0-11.src.rpm +Source RPM  : graylog-server-2.3.1-1.src.rpm 
-Build Date  : Thu 09 Feb 2017 12:42:54 PM CET +Build Date  : Fri 25 Aug 2017 03:57:17 PM CEST 
-Build Host  : f89729f86e48+Build Host  : 5ee9456006b4
 Relocations : /  Relocations : / 
 Packager    : Graylog, Inc. <hello@graylog.org> Packager    : Graylog, Inc. <hello@graylog.org>
Zeile 407: Zeile 385:
 /usr/share/graylog-server/lib/sigar/libsigar-amd64-linux.so /usr/share/graylog-server/lib/sigar/libsigar-amd64-linux.so
 /usr/share/graylog-server/lib/sigar/libsigar-x86-linux.so /usr/share/graylog-server/lib/sigar/libsigar-x86-linux.so
-/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.2.0.jar +/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.3.1.jar 
-/usr/share/graylog-server/plugin/graylog-plugin-beats-2.2.0.jar +/usr/share/graylog-server/plugin/graylog-plugin-beats-2.3.1.jar 
-/usr/share/graylog-server/plugin/graylog-plugin-collector-2.2.0.jar +/usr/share/graylog-server/plugin/graylog-plugin-collector-2.3.1.jar 
-/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.2.0.jar +/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.3.1.jar 
-/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.2.0.jar +/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.3.1.jar 
-/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.2.0.jar</code>+/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.3.1.jar</code>
  
  
Zeile 473: Zeile 451:
 </pre></html> </pre></html>
  
-Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.+Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert. 
    # less /var/log/mongodb/mongod.log    # less /var/log/mongodb/mongod.log
  
Zeile 603: Zeile 581:
  
   Created symlink from /etc/systemd/system/multi-user.target.wants/setra256.service to /etc/systemd/system/setra256.service.   Created symlink from /etc/systemd/system/multi-user.target.wants/setra256.service to /etc/systemd/system/setra256.service.
- 
- 
  
 === automatischer Start des Daemon === === automatischer Start des Daemon ===
Zeile 738: Zeile 714:
  
 Geben wir ein falsches Passwort ein, wird natürlich der Zugang verwehrt. Geben wir ein falsches Passwort ein, wird natürlich der Zugang verwehrt.
-   # mongo -u "graylog-user" -p "7h3FBI15n07ar0ckb4and" 127.0.0.1:27017/graylog+   # mongo -u "graylog-user" -p "7h3FBI15ar0ckb4and" 127.0.0.1:27017/graylog
  
   MongoDB shell version: 2.6.12   MongoDB shell version: 2.6.12
Zeile 1369: Zeile 1345:
 Anschließend informieren wir den **systemd** über unser "updatesicheres" Startscript. Anschließend informieren wir den **systemd** über unser "updatesicheres" Startscript.
    systemctl daemon-reload    systemctl daemon-reload
- 
- 
- 
- 
- 
- 
  
 === Start des Daemon === === Start des Daemon ===
Zeile 2213: Zeile 2183:
  
  
-=== Apache Reverse-Proxy === 
 Da der **graylog-web**-Daemon __ohne__ Root-Rechte gestartet wird, können wir nur unprivilegierte Ports (Ports größer als 1024) definieren. Da wir aber die Graylog-Web-GUI auch von außen, über einen TLS geschützten Transportkanal ansprechen wollen, nutzen wir einen Apache-vHOST als Reverse-Proxy. Da der **graylog-web**-Daemon __ohne__ Root-Rechte gestartet wird, können wir nur unprivilegierte Ports (Ports größer als 1024) definieren. Da wir aber die Graylog-Web-GUI auch von außen, über einen TLS geschützten Transportkanal ansprechen wollen, nutzen wir einen Apache-vHOST als Reverse-Proxy.
  
Zeile 2359: Zeile 2328:
  
  
-=== Start des Daemon === 
-Nun ist es an der Zeit den die Web-GUI **graylog-web** zu starten. 
-   # systemctl start graylog-web.service 
- 
-Den Serverstatus können wir wie folgt abfragen. 
-   # systemctl status graylog-web.service 
- 
-<html><pre class="code"> 
-<font style="color: rgb(0, 255, 0)"><b>● </b></font><font style="color: rgb(0, 0, 0)">graylog-web.service - Graylog web interface 
-   Loaded: loaded (/usr/lib/systemd/system/graylog-web.service; enabled; vendor preset: disabled) 
-   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Mon 2015-12-28 15:21:52 CET; 11s ago 
-     Docs: http://docs.graylog.org/ 
- Main PID: 8767 (graylog-web) 
-   CGroup: /system.slice/graylog-web.service 
-           ├─8767 /bin/sh /usr/share/graylog-web/bin/graylog-web 
-           └─8768 java -Xms1024m -Xmx1024m -XX:ReservedCodeCacheSize=128m -Dconfig.file=/etc/graylog/web/web.conf -Dlogger.file=/etc/graylog/web/logback.xml -Dpidfile.path=/dev/... 
- 
-Dec 28 15:21:52 vml000117.dmz.nausch.org systemd[1]: Started Graylog web interface. 
-Dec 28 15:21:52 vml000117.dmz.nausch.org systemd[1]: Starting Graylog web interface... 
-Dec 28 15:21:53 vml000117.dmz.nausch.org graylog-web[8767]: Play server process ID is 8768</font> 
-</pre></html> 
- 
-Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert. 
-   # /var/log/graylog-web/application.log 
- 
-<code>2015-12-28T15:21:56.752+01:00 - [INFO] - from play in main 
-Application started (Prod) 
- 
-2015-12-28T15:21:56.812+01:00 - [INFO] - from play in main 
-Listening for HTTP on /10.0.0.117:9000</code> 
- 
-=== automatischer Start des Daemon === 
-Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl. 
-   # systemctl enable graylog-web.service 
- 
-  Created symlink from /etc/systemd/system/multi-user.target.wants/graylog-web.service to /usr/lib/systemd/system/graylog-web.service. 
- 
-Wollen wir wissen, ob die Autostartfunktion bereits gesetzt ist, verwenden wir diesen Aufruf. 
-   # systemctl is-enabled graylog-web.service 
- 
-  enabled 
  
 ==== Paketfilter/Firewall  ==== ==== Paketfilter/Firewall  ====
-=== graylog-web ===+=== graylog v2 WEB-GUI ===
 Unter **CentOS 7** wird als Standard-Firewall die dynamische **firewalld** verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbindungen kurz getrennt werden. Sondern unsere Änderungen können **//on-the-fly//** aktiviert oder auch wieder deaktiviert werden. Unter **CentOS 7** wird als Standard-Firewall die dynamische **firewalld** verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbindungen kurz getrennt werden. Sondern unsere Änderungen können **//on-the-fly//** aktiviert oder auch wieder deaktiviert werden.
  
Zeile 2428: Zeile 2356:
    # ps aux | grep graylog-server    # ps aux | grep graylog-server
  
-<code bash>graylog   1382  0.0  0.0 113116  1404 ?        Ss    2015   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server +<code bash>graylog   2832  0.0  0.0 113120  1368 ?        Ss   12:11   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server 
-graylog   1391  3.4 17.4 3875072 1396880 ?     Sl    2015 190:29 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configuration=file:///etc/graylog/server/log4j.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np</code>+graylog   2833  7.1 13.2 3874092 1087156 ?     Sl   12:11   4:39 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np 
 +root      3965  0.0  0.0 112648   924 pts/0    R+   13:16   0:00 grep --color=auto graylog-server</code>
  
 Somit können wir keine bei der Definition von **[[https://graylog.nausch.org/system/inputs|Eingangskanälen]]** (Inputs) keine dieser privilegierte Ports direkt ansprechen. Bei vielen Netzwerkgeräten, wie Router, Switche oder Telefone kann man bei der Definition des Syslog-Dienstes nur den Namen bzw. IP-Adresse des Zielservers angeben, nicht aber die den vordefinierten Port **514**.  Somit können wir keine bei der Definition von **[[https://graylog.nausch.org/system/inputs|Eingangskanälen]]** (Inputs) keine dieser privilegierte Ports direkt ansprechen. Bei vielen Netzwerkgeräten, wie Router, Switche oder Telefone kann man bei der Definition des Syslog-Dienstes nur den Namen bzw. IP-Adresse des Zielservers angeben, nicht aber die den vordefinierten Port **514**. 
Zeile 2463: Zeile 2392:
 Nachdem wir unseren graylog-Server erfolgreich vorbereitet haben, werden wir nun unsere Linux-Hosts so konfigurieren, dass diese ihre syslog-Meldungen zu unserem zentralem syslog-/graylog-Server senden. Nachdem wir unseren graylog-Server erfolgreich vorbereitet haben, werden wir nun unsere Linux-Hosts so konfigurieren, dass diese ihre syslog-Meldungen zu unserem zentralem syslog-/graylog-Server senden.
  
-Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäß dem **[[https://www.ietf.org/rfc/rfc5424.txt|RFC 5424]]** formatiert werden.+Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäss dem **[[https://www.ietf.org/rfc/rfc5424.txt|RFC 5424]]**, insbesondere ist darauf zu achten dass die Meldungen dem **[[http://www.rsyslog.com/tag/rfc5424/|RSYSLOG_SyslogProtocol23Format]]** entsprechend formatiert werden.
  
 ==== UDP ==== ==== UDP ====
Zeile 2486: Zeile 2415:
 #*.* @@remote-host:514 #*.* @@remote-host:514
 # #
-# Django : 2015-06-12+# Django : 2017-02-14
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @10.0.0.117:514;GRAYLOGRFC5424+*.* @10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
 # #
 # ### end of the forwarding rule ###</code> # ### end of the forwarding rule ###</code>
Zeile 2516: Zeile 2445:
 #*.* @@remote-host:514 #*.* @@remote-host:514
 # #
-# Django : 2015-06-12+# Django : 2017-02-14
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @@10.0.0.117:514;GRAYLOGRFC5424+*.* @@10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
 # #
 # ### end of the forwarding rule ###</code> # ### end of the forwarding rule ###</code>
Zeile 2687: Zeile 2616:
 -rw-r--r--. 1 root root 3 Jan  3 19:40 serial</code> -rw-r--r--. 1 root root 3 Jan  3 19:40 serial</code>
  
 +<code>/etc/pki/CA
 +├── certs
 +├── crl
 +├── csrs
 +├── index.txt
 +├── newcerts
 +├── private
 +└── serial</code>
 +
 +Die CA-Konfigurationsdatei passen wir noch unseren Wünschen entsprechend an.
 +   # vim /etc/pki/tls/openssl.cnf
 +
 +<file bash /etc/pki/tls/openssl.cnf>#
 +# OpenSSL example configuration file.
 +# This is mostly being used for generation of certificate requests.
 +#
 +
 +# This definition stops the following lines choking if HOME isn't
 +# defined.
 +HOME = .
 +RANDFILE = $ENV::HOME/.rnd
 +
 +# Extra OBJECT IDENTIFIER info:
 +#oid_file = $ENV::HOME/.oid
 +oid_section = new_oids
 +
 +# To use this configuration file with the "-extfile" option of the
 +# "openssl x509" utility, name here the section containing the
 +# X.509v3 extensions to use:
 +# extensions = 
 +# (Alternatively, use a configuration file that has only
 +# X.509v3 extensions in its main [= default] section.)
 +
 +[ new_oids ]
 +
 +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 +# Add a simple OID like this:
 +# testoid1=1.2.3.4
 +# Or use config file substitution like this:
 +# testoid2=${testoid1}.5.6
 +
 +# Policies used by the TSA examples.
 +tsa_policy1 = 1.2.3.4.1
 +tsa_policy2 = 1.2.3.4.5.6
 +tsa_policy3 = 1.2.3.4.5.7
 +
 +####################################################################
 +[ ca ]
 +default_ca = CA_default # The default ca section
 +
 +####################################################################
 +[ CA_default ]
 +
 +dir = /etc/pki/CA # Where everything is kept
 +certs = $dir/certs # Where the issued certs are kept
 +crl_dir = $dir/crl # Where the issued crl are kept
 +database = $dir/index.txt # database index file.
 +#unique_subject = no # Set to 'no' to allow creation of
 + # several ctificates with same subject.
 +new_certs_dir = $dir/newcerts # default place for new certs.
 +
 +# Django : 2017-02-14
 +# default: certificate  = $dir/cacert.pem       # The CA certificate
 +certificate     = $dir/certs/root-ca.certifikate.pem
 +serial = $dir/serial # The current serial number
 +crlnumber = $dir/crlnumber # the current crl number
 + # must be commented out to leave a V1 CRL
 +crl = $dir/crl.pem # The current CRL
 +# Django : 2017-02-14
 +# default: private_key = $dir/private/cakey.pem   # The private key
 +private_key = $dir/private/root-ca.key.pem
 +RANDFILE = $dir/private/.rand # private random number file
 +
 +x509_extensions = usr_cert # The extentions to add to the cert
 +
 +# Comment out the following two lines for the "traditional"
 +# (and highly broken) format.
 +name_opt = ca_default # Subject Name options
 +cert_opt = ca_default # Certificate field options
 +
 +# Extension copying option: use with caution.
 +# copy_extensions = copy
 +
 +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 +# so this is commented out by default to leave a V1 CRL.
 +# crlnumber must also be commented out to leave a V1 CRL.
 +# crl_extensions = crl_ext
 +
 +default_days = 365 # how long to certify for
 +default_crl_days= 30 # how long before next CRL
 +default_md = sha256 # use SHA-256 by default
 +preserve = no # keep passed DN ordering
 +
 +# A few difference way of specifying how similar the request should look
 +# For type CA, the listed attributes must be the same, and the optional
 +# and supplied fields are just that :-)
 +policy = policy_match
 +
 +# For the CA policy
 +[ policy_match ]
 +countryName = match
 +stateOrProvinceName = match
 +organizationName = match
 +organizationalUnitName = optional
 +commonName = supplied
 +emailAddress = optional
 +
 +# For the 'anything' policy
 +# At this point in time, you must list all acceptable 'object'
 +# types.
 +[ policy_anything ]
 +countryName = optional
 +stateOrProvinceName = optional
 +localityName = optional
 +organizationName = optional
 +organizationalUnitName = optional
 +commonName = supplied
 +emailAddress = optional
 +
 +####################################################################
 +[ req ]
 +default_bits = 2048
 +default_md = sha256
 +default_keyfile = privkey.pem
 +distinguished_name = req_distinguished_name
 +attributes = req_attributes
 +x509_extensions = v3_ca # The extentions to add to the self signed cert
 +
 +# Passwords for private keys if not present they will be prompted for
 +# input_password = secret
 +# output_password = secret
 +
 +# This sets a mask for permitted string types. There are several options. 
 +# default: PrintableString, T61String, BMPString.
 +# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
 +# utf8only: only UTF8Strings (PKIX recommendation after 2004).
 +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 +# MASK:XXXX a literal mask value.
 +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 +string_mask = utf8only
 +
 +# req_extensions = v3_req # The extensions to add to a certificate request
 +
 +[ req_distinguished_name ]
 +countryName = Country Name (2 letter code)
 +countryName_default = XX
 +countryName_min = 2
 +countryName_max = 2
 +
 +stateOrProvinceName = State or Province Name (full name)
 +#stateOrProvinceName_default = Default Province
 +
 +localityName = Locality Name (eg, city)
 +localityName_default = Default City
 +
 +0.organizationName = Organization Name (eg, company)
 +0.organizationName_default = Default Company Ltd
 +
 +# we can do this but it is not needed normally :-)
 +#1.organizationName = Second Organization Name (eg, company)
 +#1.organizationName_default = World Wide Web Pty Ltd
 +
 +organizationalUnitName = Organizational Unit Name (eg, section)
 +#organizationalUnitName_default =
 +
 +commonName = Common Name (eg, your name or your server\'s hostname)
 +commonName_max = 64
 +
 +emailAddress = Email Address
 +emailAddress_max = 64
 +
 +# SET-ex3 = SET extension number 3
 +
 +[ req_attributes ]
 +challengePassword = A challenge password
 +challengePassword_min = 4
 +challengePassword_max = 20
 +
 +unstructuredName = An optional company name
 +
 +[ usr_cert ]
 +
 +# These extensions are added when 'ca' signs a request.
 +
 +# This goes against PKIX guidelines but some CAs do it and some software
 +# requires this to avoid interpreting an end user certificate as a CA.
 +
 +basicConstraints=CA:FALSE
 +
 +# Here are some examples of the usage of nsCertType. If it is omitted
 +# the certificate can be used for anything *except* object signing.
 +
 +# This is OK for an SSL server.
 +# nsCertType = server
 +
 +# For an object signing certificate this would be used.
 +# nsCertType = objsign
 +
 +# For normal client use this is typical
 +# nsCertType = client, email
 +
 +# and for everything including object signing:
 +# nsCertType = client, email, objsign
 +
 +# This is typical in keyUsage for a client certificate.
 +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 +# This will be displayed in Netscape's comment listbox.
 +nsComment = "OpenSSL Generated Certificate"
 +
 +# PKIX recommendations harmless if included in all certificates.
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid,issuer
 +
 +# This stuff is for subjectAltName and issuerAltname.
 +# Import the email address.
 +# subjectAltName=email:copy
 +# An alternative to produce certificates that aren't
 +# deprecated according to PKIX.
 +# subjectAltName=email:move
 +
 +# Copy subject details
 +# issuerAltName=issuer:copy
 +
 +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 +#nsBaseUrl
 +#nsRevocationUrl
 +#nsRenewalUrl
 +#nsCaPolicyUrl
 +#nsSslServerName
 +
 +# This is required for TSA certificates.
 +# extendedKeyUsage = critical,timeStamping
 +
 +[ v3_req ]
 +
 +# Extensions to add to a certificate request
 +
 +basicConstraints = CA:FALSE
 +keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 +[ v3_ca ]
 +
 +
 +# Extensions for a typical CA
 +
 +
 +# PKIX recommendation.
 +
 +subjectKeyIdentifier=hash
 +
 +authorityKeyIdentifier=keyid:always,issuer
 +
 +# This is what PKIX recommends but some broken software chokes on critical
 +# extensions.
 +#basicConstraints = critical,CA:true
 +# So we do this instead.
 +basicConstraints = CA:true
 +
 +# Key usage: this is typical for a CA certificate. However since it will
 +# prevent it being used as an test self-signed certificate it is best
 +# left out by default.
 +# keyUsage = cRLSign, keyCertSign
 +
 +# Some might want this also
 +# nsCertType = sslCA, emailCA
 +
 +# Include email address in subject alt name: another PKIX recommendation
 +# subjectAltName=email:copy
 +# Copy issuer details
 +# issuerAltName=issuer:copy
 +
 +# DER hex encoding of an extension: beware experts only!
 +# obj=DER:02:03
 +# Where 'obj' is a standard or added object
 +# You can even override a supported extension:
 +# basicConstraints= critical, DER:30:03:01:01:FF
 +
 +[ crl_ext ]
 +
 +# CRL extensions.
 +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 +
 +# issuerAltName=issuer:copy
 +authorityKeyIdentifier=keyid:always
 +
 +[ proxy_cert_ext ]
 +# These extensions should be added when creating a proxy certificate
 +
 +# This goes against PKIX guidelines but some CAs do it and some software
 +# requires this to avoid interpreting an end user certificate as a CA.
 +
 +basicConstraints=CA:FALSE
 +
 +# Here are some examples of the usage of nsCertType. If it is omitted
 +# the certificate can be used for anything *except* object signing.
 +
 +# This is OK for an SSL server.
 +# nsCertType = server
 +
 +# For an object signing certificate this would be used.
 +# nsCertType = objsign
 +
 +# For normal client use this is typical
 +# nsCertType = client, email
 +
 +# and for everything including object signing:
 +# nsCertType = client, email, objsign
 +
 +# This is typical in keyUsage for a client certificate.
 +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 +# This will be displayed in Netscape's comment listbox.
 +nsComment = "OpenSSL Generated Certificate"
 +
 +# PKIX recommendations harmless if included in all certificates.
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid,issuer
 +
 +# This stuff is for subjectAltName and issuerAltname.
 +# Import the email address.
 +# subjectAltName=email:copy
 +# An alternative to produce certificates that aren't
 +# deprecated according to PKIX.
 +# subjectAltName=email:move
 +
 +# Copy subject details
 +# issuerAltName=issuer:copy
 +
 +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 +#nsBaseUrl
 +#nsRevocationUrl
 +#nsRenewalUrl
 +#nsCaPolicyUrl
 +#nsSslServerName
 +
 +# This really needs to be in place for it to be a proxy certificate.
 +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 +
 +####################################################################
 +[ tsa ]
 +
 +default_tsa = tsa_config1 # the default TSA section
 +
 +[ tsa_config1 ]
 +
 +# These are used by the TSA reply generation only.
 +dir = ./demoCA # TSA root directory
 +serial = $dir/tsaserial # The current serial number (mandatory)
 +crypto_device = builtin # OpenSSL engine to use for signing
 +signer_cert = $dir/tsacert.pem # The TSA signing certificate
 + # (optional)
 +certs = $dir/cacert.pem # Certificate chain to include in reply
 + # (optional)
 +signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
 +
 +default_policy = tsa_policy1 # Policy if request did not specify it
 + # (optional)
 +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
 +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
 +accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
 +clock_precision_digits  = 0 # number of digits after dot. (optional)
 +ordering = yes # Is ordering defined for timestamps?
 + # (optional, default: no)
 +tsa_name = yes # Must the TSA name be included in the reply?
 + # (optional, default: no)
 +ess_cert_id_chain = no # Must the ESS cert id chain be included?
 + # (optional, default: no)</file>
 === privaten Schlüssel und selbstsigniertes Root CA Zertifikat erstellen === === privaten Schlüssel und selbstsigniertes Root CA Zertifikat erstellen ===
 Als erstes werden wir uns nun den privaten Schlüssel unserer Root CA generieren, in zugehöriges Zertifikat erzeugen und dieses mit dem privaten Schlüssel der CA unterschreiben; all das passiert bei nachfolgendem Befehlsaufruf. Zur besseren Unterscheidung sind die Eingaben sowohl kursiv und fett gedruckt in der Farbe <html><font style="color: rgb(0, 0, 255)"><i><b>blau</b></i></font></html> und die Rückmeldungen in der Farbe <html><font style="color: rgb(102, 102, 102)"><b>grau</b></font></html> gekennzeichnet. Als erstes werden wir uns nun den privaten Schlüssel unserer Root CA generieren, in zugehöriges Zertifikat erzeugen und dieses mit dem privaten Schlüssel der CA unterschreiben; all das passiert bei nachfolgendem Befehlsaufruf. Zur besseren Unterscheidung sind die Eingaben sowohl kursiv und fett gedruckt in der Farbe <html><font style="color: rgb(0, 0, 255)"><i><b>blau</b></i></font></html> und die Rückmeldungen in der Farbe <html><font style="color: rgb(102, 102, 102)"><b>grau</b></font></html> gekennzeichnet.
Zeile 2718: Zeile 3015:
 <font style="color: rgb(102, 102, 102)">Email Address []:</font><font style="color: rgb(0, 0, 255)"><b><i>ca-admin@nausch.org</i></b></font> <font style="color: rgb(102, 102, 102)">Email Address []:</font><font style="color: rgb(0, 0, 255)"><b><i>ca-admin@nausch.org</i></b></font>
 </pre></html> </pre></html>
 +
 +Sowohl Zertifikat und der Schlüssel des gerade erzeugten Root Zertifikates liegen nun in unserem CA-Systemverzeichnis.
 +<code>/etc/pki/CA
 +├── certs
 +│   └── root-ca.certifikate.pem
 +├── crl
 +├── csrs
 +├── index.txt
 +├── newcerts
 +├── private
 +│   └── root-ca.key.pem
 +└── serial</code>
  
 === privaten Schlüssel der Root CA schützen === === privaten Schlüssel der Root CA schützen ===
Zeile 2943: Zeile 3252:
 <html><pre class="code"> <html><pre class="code">
 <font style="color: rgb(0, 0, 0)"># </font><font style="color: rgb(0, 0, 255)"><b><i>openssl pkcs8 -topk8 -in /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem \ <font style="color: rgb(0, 0, 0)"># </font><font style="color: rgb(0, 0, 255)"><b><i>openssl pkcs8 -topk8 -in /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem \
-          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem -outform pem -nocrypt</i></b></font>+          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem 
 +          -outform pem -nocrypt</i></b></font>
 </pre></html> </pre></html>
  
Zeile 3145: Zeile 3455:
 </pre></html> </pre></html>
  
-=== erstellte Zertifikat dem gralog-server zur Verfügung stellen ===+=== erstellte Zertifikat dem graylog-server zur Verfügung stellen ===
 Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Hierzu kopieren wir einfach das gerade generierte Zertifikat an Ort und Stelle. Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Hierzu kopieren wir einfach das gerade generierte Zertifikat an Ort und Stelle.
    # cp /etc/pki/CA/certs/graylog-server.dmz.nausch.org.certificate.pem /etc/pki/tls/certs/    # cp /etc/pki/CA/certs/graylog-server.dmz.nausch.org.certificate.pem /etc/pki/tls/certs/
Zeile 3640: Zeile 3950:
 kY+Z9s9+By5IVw== kY+Z9s9+By5IVw==
 -----END CERTIFICATE-----</code> -----END CERTIFICATE-----</code>
 +
  
  
 === erstellte Zertifikat dem rsyslog-Daemon auf dem Clientrechner zur Verfügung stellen === === erstellte Zertifikat dem rsyslog-Daemon auf dem Clientrechner zur Verfügung stellen ===
-Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Entweder kopieren wir das Zertifikat via **scp** auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab. +Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem rsyslog-Daemon auf dem Client-Rechner zur Verfügung. Entweder kopieren wir das Zertifikat via **scp** auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab. 
    # vim /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem    # vim /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
  
Zeile 3682: Zeile 3993:
 kY+Z9s9+By5IVw== kY+Z9s9+By5IVw==
 -----END CERTIFICATE-----</code> -----END CERTIFICATE-----</code>
 +
 +=== Ein Zertifikat revoken ===
 +Will man ein ausgestelltes Zertifikat zurückziehen (revoken) nutzen wir ebenfalls das Programm **openssl**.
 +   # openssl ca -revoke /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
 +
 +  Using configuration from /etc/pki/tls/openssl.cnf
 +  Enter pass phrase for /etc/pki/CA/private/root-ca.key.pem:
 +  Revoking Certificate 02.
 +  Data Base Updated
 +
  
 ===== Konfiguration graylog-server ===== ===== Konfiguration graylog-server =====
Zeile 3828: Zeile 4149:
 # The imjournal module bellow is now used as a message source instead of imuxsock. # The imjournal module bellow is now used as a message source instead of imuxsock.
 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
-$ModLoad imjournal # provides access to the systemd journal+# Django : 2017-09-26 
 +# default: $ModLoad imjournal # provides access to the systemd journal
 #$ModLoad imklog # reads kernel messages (the same are read from journald) #$ModLoad imklog # reads kernel messages (the same are read from journald)
 #$ModLoad immark  # provides --MARK-- message capability #$ModLoad immark  # provides --MARK-- message capability
Zeile 3858: Zeile 4180:
 # Turn off message reception via local log socket; # Turn off message reception via local log socket;
 # local messages are retrieved through imjournal now. # local messages are retrieved through imjournal now.
-$OmitLocalLogging on+# Django : 2017-09-26 
 +# default: $OmitLocalLogging on
  
 # File to store the position in the journal # File to store the position in the journal
-$IMJournalStateFile imjournal.state+# Django : 2017-09-26 
 +# default: $IMJournalStateFile imjournal.state
  
 # Django : 2016-01-03 - certificate files for TLS # Django : 2016-01-03 - certificate files for TLS
Zeile 3928: Zeile 4252:
 # Django : 2016-01-03 # Django : 2016-01-03
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n" $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @@10.0.0.117:6514;GRAYLOGRFC5424+*.* @@10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
 # #
 # ### end of the forwarding rule ###</file> # ### end of the forwarding rule ###</file>
Zeile 3948: Zeile 4272:
  
 Alles in allem können wir feststellen, dass mit einem überschaubaren Aufwand, die Kommunikation zwischen den rsyslog-Clients und unserem graylog-server sicher und nur noch von authorisierten Quellen gestattet werden kann. Alles in allem können wir feststellen, dass mit einem überschaubaren Aufwand, die Kommunikation zwischen den rsyslog-Clients und unserem graylog-server sicher und nur noch von authorisierten Quellen gestattet werden kann.
 +
 +==== Zertifikatsgenerierung und Clientkonfiguration ====
 +==== Zertifikatserstellung optimieren ====
 +Um nun bei der Generierung der Zertifikats-Requests und der Erstellung der zugehörigen Zertifikate nicht jedesmal die benötigten Angaben erneut eintippen zu müssen werden wir nun die wiederkehrenden Informationen in der Konfigurationsdatei //**/etc/pki/tls/openssl.cnf**// hinterlegen.
 +   # vim /etc/pki/tls/openssl.cnf
 +
 +<file bash /etc/pki/tls/openssl.cnf>#
 +# OpenSSL example configuration file.
 +# This is mostly being used for generation of certificate requests.
 +#
 +
 +# This definition stops the following lines choking if HOME isn't
 +# defined.
 +HOME = .
 +RANDFILE = $ENV::HOME/.rnd
 +
 +# Extra OBJECT IDENTIFIER info:
 +#oid_file = $ENV::HOME/.oid
 +oid_section = new_oids
 +
 +# To use this configuration file with the "-extfile" option of the
 +# "openssl x509" utility, name here the section containing the
 +# X.509v3 extensions to use:
 +# extensions = 
 +# (Alternatively, use a configuration file that has only
 +# X.509v3 extensions in its main [= default] section.)
 +
 +[ new_oids ]
 +
 +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
 +# Add a simple OID like this:
 +# testoid1=1.2.3.4
 +# Or use config file substitution like this:
 +# testoid2=${testoid1}.5.6
 +
 +# Policies used by the TSA examples.
 +tsa_policy1 = 1.2.3.4.1
 +tsa_policy2 = 1.2.3.4.5.6
 +tsa_policy3 = 1.2.3.4.5.7
 +
 +####################################################################
 +[ ca ]
 +default_ca = CA_default # The default ca section
 +
 +####################################################################
 +[ CA_default ]
 +
 +dir = /etc/pki/CA # Where everything is kept
 +certs = $dir/certs # Where the issued certs are kept
 +crl_dir = $dir/crl # Where the issued crl are kept
 +database = $dir/index.txt # database index file.
 +#unique_subject = no # Set to 'no' to allow creation of
 + # several ctificates with same subject.
 +new_certs_dir = $dir/newcerts # default place for new certs.
 +
 +# Django : 2017-02-14
 +# default: certificate = $dir/cacert.pem # The CA certificate
 +certificate = $dir/certs/root-ca.certifikate.pem
 +serial = $dir/serial # The current serial number
 +crlnumber = $dir/crlnumber # the current crl number
 + # must be commented out to leave a V1 CRL
 +crl = $dir/crl.pem # The current CRL
 +# Django : 2017-02-14
 +# default: private_key = $dir/private/cakey.pem   # The private key
 +private_key = $dir/private/root-ca.key.pem
 +RANDFILE = $dir/private/.rand # private random number file
 +
 +x509_extensions = usr_cert # The extentions to add to the cert
 +
 +# Comment out the following two lines for the "traditional"
 +# (and highly broken) format.
 +name_opt = ca_default # Subject Name options
 +cert_opt = ca_default # Certificate field options
 +
 +# Extension copying option: use with caution.
 +# copy_extensions = copy
 +
 +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 +# so this is commented out by default to leave a V1 CRL.
 +# crlnumber must also be commented out to leave a V1 CRL.
 +# crl_extensions = crl_ext
 +
 +# Django : 2017-02-14
 +# default: default_days = 365 # how long to certify for
 +default_days = 10950 
 +default_crl_days= 30 # how long before next CRL
 +default_md = sha256 # use SHA-256 by default
 +preserve = no # keep passed DN ordering
 +
 +# A few difference way of specifying how similar the request should look
 +# For type CA, the listed attributes must be the same, and the optional
 +# and supplied fields are just that :-)
 +policy = policy_match
 +
 +# For the CA policy
 +[ policy_match ]
 +countryName = match
 +stateOrProvinceName = match
 +organizationName = match
 +organizationalUnitName = optional
 +commonName = supplied
 +emailAddress = optional
 +
 +# For the 'anything' policy
 +# At this point in time, you must list all acceptable 'object'
 +# types.
 +[ policy_anything ]
 +countryName = optional
 +stateOrProvinceName = optional
 +localityName = optional
 +organizationName = optional
 +organizationalUnitName = optional
 +commonName = supplied
 +emailAddress = optional
 +
 +####################################################################
 +[ req ]
 +# Django : 2017-02-14
 +# default: default_bits = 2048
 +default_bits = 4096
 +default_md = sha256
 +default_keyfile = privkey.pem
 +distinguished_name = req_distinguished_name
 +attributes = req_attributes
 +x509_extensions = v3_ca # The extentions to add to the self signed cert
 +
 +# Passwords for private keys if not present they will be prompted for
 +# input_password = secret
 +# output_password = secret
 +
 +# This sets a mask for permitted string types. There are several options. 
 +# default: PrintableString, T61String, BMPString.
 +# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
 +# utf8only: only UTF8Strings (PKIX recommendation after 2004).
 +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 +# MASK:XXXX a literal mask value.
 +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
 +string_mask = utf8only
 +
 +# req_extensions = v3_req # The extensions to add to a certificate request
 +
 +[ req_distinguished_name ]
 +countryName = Country Name (2 letter code)
 +# Django : 2017-02-14
 +# default: countryName_default = XX
 +countryName_default = DE
 +countryName_min = 2
 +countryName_max = 2
 +
 +stateOrProvinceName = State or Province Name (full name)
 +# Django : 2017-02-14
 +# default: #stateOrProvinceName_default = Default Province
 +stateOrProvinceName_default = Bayern
 +
 +localityName = Locality Name (eg, city)
 +# Django : 2017-02-14
 +# default: localityName_default = Default City
 +localityName_default = Pliening 
 +
 +0.organizationName = Organization Name (eg, company)
 +# Django : 2017-02-14
 +# default: 0.organizationName_default = Default Company Ltd
 +0.organizationName_default = nausch.org
 +
 +# we can do this but it is not needed normally :-)
 +#1.organizationName = Second Organization Name (eg, company)
 +#1.organizationName_default = World Wide Web Pty Ltd
 +
 +organizationalUnitName = Organizational Unit Name (eg, section)
 +# Django : 2017-02-14
 +# default: #organizationalUnitName_default =
 +organizationalUnitName_default = IT-Monitoring
 +
 +commonName = Common Name (eg, your name or your server\'s hostname)
 +commonName_max = 64
 +
 +emailAddress = Email Address
 +emailAddress_max = 64
 +# Django : 2017-02-14
 +# default: unset
 +emailAddress_default = graylog-admin@nausch.org
 +
 +# SET-ex3 = SET extension number 3
 +
 +[ req_attributes ]
 +challengePassword = A challenge password
 +challengePassword_min = 4
 +challengePassword_max = 20
 +
 +unstructuredName = An optional company name
 +
 +[ usr_cert ]
 +
 +# These extensions are added when 'ca' signs a request.
 +
 +# This goes against PKIX guidelines but some CAs do it and some software
 +# requires this to avoid interpreting an end user certificate as a CA.
 +
 +basicConstraints=CA:FALSE
 +
 +# Here are some examples of the usage of nsCertType. If it is omitted
 +# the certificate can be used for anything *except* object signing.
 +
 +# This is OK for an SSL server.
 +# nsCertType = server
 +
 +# For an object signing certificate this would be used.
 +# nsCertType = objsign
 +
 +# For normal client use this is typical
 +# nsCertType = client, email
 +
 +# and for everything including object signing:
 +# nsCertType = client, email, objsign
 +
 +# This is typical in keyUsage for a client certificate.
 +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 +# This will be displayed in Netscape's comment listbox.
 +nsComment = "OpenSSL Generated Certificate"
 +
 +# PKIX recommendations harmless if included in all certificates.
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid,issuer
 +
 +# This stuff is for subjectAltName and issuerAltname.
 +# Import the email address.
 +# subjectAltName=email:copy
 +# An alternative to produce certificates that aren't
 +# deprecated according to PKIX.
 +# subjectAltName=email:move
 +
 +# Copy subject details
 +# issuerAltName=issuer:copy
 +
 +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 +#nsBaseUrl
 +#nsRevocationUrl
 +#nsRenewalUrl
 +#nsCaPolicyUrl
 +#nsSslServerName
 +
 +# This is required for TSA certificates.
 +# extendedKeyUsage = critical,timeStamping
 +
 +[ v3_req ]
 +
 +# Extensions to add to a certificate request
 +
 +basicConstraints = CA:FALSE
 +keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 +[ v3_ca ]
 +
 +
 +# Extensions for a typical CA
 +
 +
 +# PKIX recommendation.
 +
 +subjectKeyIdentifier=hash
 +
 +authorityKeyIdentifier=keyid:always,issuer
 +
 +# This is what PKIX recommends but some broken software chokes on critical
 +# extensions.
 +#basicConstraints = critical,CA:true
 +# So we do this instead.
 +basicConstraints = CA:true
 +
 +# Key usage: this is typical for a CA certificate. However since it will
 +# prevent it being used as an test self-signed certificate it is best
 +# left out by default.
 +# keyUsage = cRLSign, keyCertSign
 +
 +# Some might want this also
 +# nsCertType = sslCA, emailCA
 +
 +# Include email address in subject alt name: another PKIX recommendation
 +# subjectAltName=email:copy
 +# Copy issuer details
 +# issuerAltName=issuer:copy
 +
 +# DER hex encoding of an extension: beware experts only!
 +# obj=DER:02:03
 +# Where 'obj' is a standard or added object
 +# You can even override a supported extension:
 +# basicConstraints= critical, DER:30:03:01:01:FF
 +
 +[ crl_ext ]
 +
 +# CRL extensions.
 +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
 +
 +# issuerAltName=issuer:copy
 +authorityKeyIdentifier=keyid:always
 +
 +[ proxy_cert_ext ]
 +# These extensions should be added when creating a proxy certificate
 +
 +# This goes against PKIX guidelines but some CAs do it and some software
 +# requires this to avoid interpreting an end user certificate as a CA.
 +
 +basicConstraints=CA:FALSE
 +
 +# Here are some examples of the usage of nsCertType. If it is omitted
 +# the certificate can be used for anything *except* object signing.
 +
 +# This is OK for an SSL server.
 +# nsCertType = server
 +
 +# For an object signing certificate this would be used.
 +# nsCertType = objsign
 +
 +# For normal client use this is typical
 +# nsCertType = client, email
 +
 +# and for everything including object signing:
 +# nsCertType = client, email, objsign
 +
 +# This is typical in keyUsage for a client certificate.
 +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
 +
 +# This will be displayed in Netscape's comment listbox.
 +nsComment = "OpenSSL Generated Certificate"
 +
 +# PKIX recommendations harmless if included in all certificates.
 +subjectKeyIdentifier=hash
 +authorityKeyIdentifier=keyid,issuer
 +
 +# This stuff is for subjectAltName and issuerAltname.
 +# Import the email address.
 +# subjectAltName=email:copy
 +# An alternative to produce certificates that aren't
 +# deprecated according to PKIX.
 +# subjectAltName=email:move
 +
 +# Copy subject details
 +# issuerAltName=issuer:copy
 +
 +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
 +#nsBaseUrl
 +#nsRevocationUrl
 +#nsRenewalUrl
 +#nsCaPolicyUrl
 +#nsSslServerName
 +
 +# This really needs to be in place for it to be a proxy certificate.
 +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
 +
 +####################################################################
 +[ tsa ]
 +
 +default_tsa = tsa_config1 # the default TSA section
 +
 +[ tsa_config1 ]
 +
 +# These are used by the TSA reply generation only.
 +dir = ./demoCA # TSA root directory
 +serial = $dir/tsaserial # The current serial number (mandatory)
 +crypto_device = builtin # OpenSSL engine to use for signing
 +signer_cert = $dir/tsacert.pem # The TSA signing certificate
 + # (optional)
 +certs = $dir/cacert.pem # Certificate chain to include in reply
 + # (optional)
 +signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
 +
 +default_policy = tsa_policy1 # Policy if request did not specify it
 + # (optional)
 +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
 +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
 +accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
 +clock_precision_digits  = 0 # number of digits after dot. (optional)
 +ordering = yes # Is ordering defined for timestamps?
 + # (optional, default: no)
 +tsa_name = yes # Must the TSA name be included in the reply?
 + # (optional, default: no)
 +ess_cert_id_chain = no # Must the ESS cert id chain be included?
 + # (optional, default: no)</file>
 +
 +==== Bearbeitungsschritte bei neunen rsyslog Clients ====
 +Bei einem neune Client, den wir an unseren graylog Server anbinden wollen, sind nun zusammengefasst folgende Schritte nötig (im nachfolgenden Beispiel für Host vml000137):
 +
 +  * auf dem **graylog** Server:
 +    - Schlüssel für den rsyslog-Client erzeugen <code> # openssl genrsa -out /etc/pki/tls/clientkey.pem -aes256 4096</code>
 +    - Passphrase des gerade erzeiugten Client-Schlüssels entfernen <code> # openssl rsa -in /etc/pki/tls/clientkey.pem -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code>
 +    - Schlüssel mit passphrase vernichten <code> # shred -u /etc/pki/tls/clientkey.pem</code>
 +    - Schlüssel auf den Clientrechner transferieren <code> # cat /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code><code> # vim /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code>
 +    - Zertificatsrequest erzeugen <code> # openssl req -new -key /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem \
 +           -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem -nodes</code>
 +    - Zertifikatsrequest der eigenen CA vorlegen. <code> # cp -a /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem \
 +            /etc/pki/CA/csrs/ </code>
 +    - Zertifikatsrequest durch die CA bearbeiten und Zertifikat erzeugen. <code> # openssl ca -in /etc/pki/CA/csrs/rsyslog.vml000137.dmz.nausch.org.csr.pem \
 +           -out /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code>
 +    - Zertifikat ausgeben und auf den Client-/rsyslog-Host transferieren.<code> # cat /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code><code> # vim /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code>
 +    - Clientzertifikat dem graylog Server bekannt machden. <code> # cp /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem \
 +           /etc/pki/tls/graylog-client-certs/</code>
 +    - Root CA Zertifikat dem Client zur Verfügung stellen. <code> # cat /etc/pki/CA/certs/root-ca.certifikate.pem</code><code> # vim /etc/pki/CA/certs/root-ca.certifikate.pem</code>
 +    - **rsyslog-gnutls** auf dem Client installieren. <code> # yum install rsyslog-gnutls -y</code>
 +    - originale rsyslog-Konfigurationsdatei sichern. <code> # cp -a /etc/rsyslog.conf /etc/rsyslog.conf.orig</code>
 +    - rsyslog konfigurieren. <code> # vim /etc/rsyslog.conf</code><file bash /etc/rsyslog.conf># rsyslog configuration file
 +
 +# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
 +# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
 +
 +#### MODULES ####
 +
 +# Django : 2017-2-14
 +# default: unset
 +$DefaultNetstreamDriver gtls #make gtls driver the default
 +
 +# The imjournal module bellow is now used as a message source instead of imuxsock.
 +$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
 +# Django : 2017-09-26
 +# default: $ModLoad imjournal # provides access to the systemd journal
 +#$ModLoad imklog # reads kernel messages (the same are read from journald)
 +#$ModLoad immark  # provides --MARK-- message capability
 +
 +# Provides UDP syslog reception
 +#$ModLoad imudp
 +#$UDPServerRun 514
 +
 +# Provides TCP syslog reception
 +#$ModLoad imtcp
 +#$InputTCPServerRun 514
 +
 +
 +#### GLOBAL DIRECTIVES ####
 +
 +# Where to place auxiliary files
 +$WorkDirectory /var/lib/rsyslog
 +
 +# Use default timestamp format
 +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 +
 +# File syncing capability is disabled by default. This feature is usually not required,
 +# not useful and an extreme performance hit
 +#$ActionFileEnableSync on
 +
 +# Include all config files in /etc/rsyslog.d/
 +$IncludeConfig /etc/rsyslog.d/*.conf
 +
 +# Turn off message reception via local log socket;
 +# local messages are retrieved through imjournal now.
 +# Django : 2017-09-26
 +# default: $OmitLocalLogging on
 +
 +# File to store the position in the journal
 +# Django : 2017-09-26
 +# default: $IMJournalStateFile imjournal.state
 +
 +# Django : 2017-02-14 - certificate files for TLS
 +# default: unset
 +$DefaultNetstreamDriverCAFile   /etc/pki/ca-trust/source/anchors/root-ca.nausch.org.pem
 +$DefaultNetstreamDriverCertFile /etc/pki/tls/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
 +$DefaultNetstreamDriverKeyFile  /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
 +
 +$ActionSendStreamDriverAuthMode x509/name
 +$ActionSendStreamDriverPermittedPeer graylog-server.dmz.nausch.org
 +#          run driver in TLS-only mode
 +$ActionSendStreamDriverMode 1
 +
 +#### RULES ####
 +
 +# Log all kernel messages to the console.
 +# Logging much else clutters up the screen.
 +#kern.*                                                 /dev/console
 +
 +# Log anything (except mail) of level info or higher.
 +# Don't log private authentication messages!
 +*.info;mail.none;authpriv.none;cron.none                /var/log/messages
 +
 +# The authpriv file has restricted access.
 +authpriv.*                                              /var/log/secure
 +
 +# Log all the mail messages in one place.
 +mail.*                                                  -/var/log/maillog
 +
 +
 +# Log cron stuff
 +cron.*                                                  /var/log/cron
 +
 +# Everybody gets emergency messages
 +*.emerg                                                 :omusrmsg:*
 +
 +# Save news errors of level crit and higher in a special file.
 +uucp,news.crit                                          /var/log/spooler
 +
 +# Save boot messages also to boot.log
 +local7.*                                                /var/log/boot.log
 +
 +
 +# ### begin forwarding rule ###
 +# The statement between the begin ... end define a SINGLE forwarding
 +# rule. They belong together, do NOT split them. If you create multiple
 +# forwarding rules, duplicate the whole block!
 +# Remote Logging (we use TCP for reliable delivery)
 +#
 +# An on-disk queue is created for this action. If the remote host is
 +# down, messages are spooled to disk and sent when it is up again.
 +#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
 +#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
 +#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
 +#$ActionQueueType LinkedList   # run asynchronously
 +#$ActionResumeRetryCount -1    # infinite retries if host is down
 +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
 +#*.* @@remote-host:514
 +#
 +# Django : 2017-02-14
 +$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
 +*.* @10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
 +#
 +# ### end of the forwarding rule ###</file>
 +    - rsyslog-Daemon neu starten zum Aktivieren der Konfigurationsänderung.<code> # systemctl restart rsyslog.service</code>
 +
 +<WRAP center round important 90%>
 +**FAZIT**: 
 +
 +Mit Hilfe dieser 14 Bearbeitungsschritte kann nicht nur der Übertragungsweg zwischen rsyslog-client und graylog-server abgesichert und sondern auch der Zugriff des Clients auf den zentralen syslog-server geregelt werden. 
 +
 +Mit einfachen Boardmitteln unseres CentOS 7 Servers kann somit ein wesentlicher Beitrag zur Vertraulichkeit und Integrität von syslog-informationen geleistet werden und ein ungesicherte und ungeschützte Übertragung von sensitiven syslog-Informationen sollten der Vergangenheit angehören. Auch wenn der ungeübten Admin diesen Umstand bis jetzt erfolgreich verdrängte!
 +</WRAP>
  
 ====== Links ====== ====== Links ======
Zeile 3954: Zeile 4800:
   * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**   * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
  
-~~DISCUSSION~~+
  
  • centos/web_c7/graylog2.1487333577.txt.gz
  • Zuletzt geändert: 17.02.2017 12:12.
  • von django