Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Client Auth support for net log output #6079

Open
yroc92 opened this issue Feb 1, 2024 · 6 comments
Open

TLS Client Auth support for net log output #6079

yroc92 opened this issue Feb 1, 2024 · 6 comments
Labels
feature ⚙️ New feature or request help wanted 🆘 Extra attention is needed

Comments

@yroc92
Copy link
Collaborator

yroc92 commented Feb 1, 2024

When sending logs via the net output, TLS client auth is necessary for a secure, encrypted connection and safe transmission of logs. This is especially important when sending logs to a foreign server (think: Elasticsearch via Logstash's TCP plugin).
@yroc92 yroc92 added the feature ⚙️ New feature or request label Feb 1, 2024
@francislavoie
Copy link
Member

I have a feeling that a logstash writer plugin would probably be more appropriate.

@mholt
Copy link
Member

mholt commented Feb 1, 2024
edited

That may be true, but I was thinking it seems fitting that a server that specializes in TLS should be able to establish a TLS connection for transmitting logs. 🤷‍♂️

@francislavoie
Copy link
Member

But is there an actual standard for establishing TLS for writing logs, or is it just a proprietary thing logstash is doing? I don't think it makes sense to do this in the net writer if it's only for logstash.

@mholt
Copy link
Member

mholt commented Feb 1, 2024
edited

It would just be a TLS client config, similar to what the reverse proxy uses or layer 4's proxy -- enable TLS, maybe configure the trusted roots, client auth, timeouts, etc. Would work with any TCP log ingestor (that also supports TLS, presumably remote log servers).

@mohammed90
Copy link
Member

It would just be a TLS client config, similar to what the reverse proxy uses or layer 4's proxy -- enable TLS, maybe configure the trusted roots, client auth, timeouts, etc. Would work with any TCP log ingestor (that also supports TLS, presumably remote log servers).

From prior research, I found that attempting TLS termination for RDBMS and STARTTLS (in the email world) doesn't work like it works for other traffic, e.g. web. They have their own special handling during the handshake. This is where Francis' point about the presence of a standard for such TLS communication in log-writing.

We can test it. If the l4 app can proxy it, then the mere TLS connectivity should work.

@yroc92
Copy link
Collaborator Author

yroc92 commented Feb 3, 2024

It looks like the TCP plugin for logstash is doing a pretty standard exchange. Here are their docs, and here is a typical example of the config for a Logstash TCP endpoint that is expecting a client cert:

input {
 tcp {
  port => 6514
  mode => "server"
  type => json
  ssl_enable => true
  ssl_certificate_authorities => ["/etc/logstash/ca.d/cacert.pem"]
  ssl_cert => "/etc/logstash/serverreq.pem"
  ssl_key => "/etc/logstash/serverkey.pem"
 }
}

@mholt mholt added the help wanted 🆘 Extra attention is needed label Mar 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature ⚙️ New feature or request help wanted 🆘 Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mholt @francislavoie @mohammed90 @yroc92