1、logstash服务器
生成证书密钥并发送到forwarder服务器。
sudo openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
scp {private/logstash-forwarder.key,certs/logstash-forwarder.crt} forwarder:
logstash的输入数据源配置,接收forwarder服务器发送过来的日志。
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
2、forwarder服务器
进行以下配置并启动。
{
"network": {
"servers": [ "192.168.2.107:5000" ],
"timeout": 15,
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt"
"ssl key": "/etc/pki/tls/certs/logstash-forwarder.key"
},
"files": [
{
"paths": [
"/var/log/syslog",
"/var/log/auth.log"
],
"fields": { "type": "syslog" }
}
]
}
最后出现的错误:
Jul 9 05:06:21 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:21.589762 Connecting to [192.168.2.107]:5000 (192.168.2.107)
Jul 9 05:06:21 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:21.595105 Failed to tls handshake with 192.168.2.107 x509: cannot validate certificate for 192.168.2.107 because it doesn't contain any IP SANs
Jul 9 05:06:22 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:22.595971 Connecting to [192.168.2.107]:5000 (192.168.2.107)
Jul 9 05:06:22 ubuntu logstash-forwarder[1374]: 2014/07/09 05:06:22.602024 Failed to tls handshake with 192.168.2.107 x509: cannot validate certificate for 192.168.2.107 because it doesn't contain any IP SANs
这是因为我们生成的密钥和证书没有经过ip地址认定。
解决:
Edit your /etc/ssl/openssl.cnf on the logstash host - add subjectAltName = IP:192.168.2.107 in [v3_ca] section.
Recreate the certificate
Copy the cert and key to both hosts
有可能你的openssl配置文件不在这个路径 /etc/ssl/openssl.cnf 你可以找到他然后 add subjectAltName = IP:192.168.2.107 in [v3_ca] section.
就解决这个问题了。
网友评论