Wednesday, 8 October 2014

Centralising windows logs securely using NXLog and LogStash (Part 1 - Overview)

At work, I have many Windows servers.  I've started to investigate ways of getting the logs from the servers into a central place.

I'm going to use nxlog to gather the logs on the Windows hosts, and then send them to a LogStash server (running on Debian).

LogStash will do some filtering, parsing out of fields, and then the logs will sent to an Elastic Search cluster.

These posts will detail how I've configured the nxLog and LogStash parts, focusing on securing the transport so the logs are protected in transport.


 Part 2 - Creating a self-signed certificate
Posted by at No comments:

Centralising windows logs securely using NXLog and LogStash (Part 2 - Creating a self-signed certificate)


There are other ways of creating a 'self signed' certificate.  But I'll be using a Debian Wheezy box, and using the 'openssl' utility


1. Create a private key

This will create a 2048-bit private key, and save it in a file called 'logstash-server.key'

# openssl genrsa -out logstash-server.key 2048





2. Create a certificate signing request

# openssl req -new -key logstash-server.key -out logstash-server.csr

Fill out the details as required.  I've highlighted & obfuscated my input on the screen shot below




There are now two files - the private key file and the CSR file


The private .key file needs to be kept in a secure place, and the contents of the file should be similar to shown below


The CSR file can be viewed as well


...and can be checked by typing this command

# openssl req -in logstash-server.csr -noout -text


 3)  Self-sign the request

Now we need to sign the CSR, with the private key generated earlier.  (note - for none self-signed certificates, the CSR would be signed by a trusted certificate authorities private key).

# openssl x509 -req -days 1830 -in logstash-server.csr -signkey logstash-server.key -out logstash-server.crt

 A certificate file (ending crt) will be generated


And openssl can show details of the signed certificate.

# openssl x509 -in logstash-server.crt -text -noout

Notice the Issuer is the same as the Subject (i.e. self signed) and the expiry date 1830 days from now


4) So where are we now? 

We have a private key, and a self-signed certificate.  The .csr can be deleted if you want.  The only need to keep it is if the certificate needs to be renewed

Next....lets configure LogStash to use the certificate
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)