Secure Graylog Interface with TLS

Transport Layer Security (TLS) is a cryptographic protocol that encrypts network communications, ensuring confidentiality, authentication, and data integrity. Securing the Graylog web interface with TLS protects log data, user credentials, and administrative access from eavesdropping or tampering.

In this guide, we’ll walk through the step-by-step process of enabling TLS for Graylog's web interface. This includes verifying TLS certificate formats, importing Root CA and Intermediate certificates into the Java Key Store, and configuring Graylog to enable HTTPS for secure access.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • If you have any sidecars installed and connecting to a non-HTTPS URL or IP address (e.g. HTTP), you must verify that server_url is correctly configured.

  • You need an SSH client to allow you to connect to your Graylog server remotely and an SFTP client to upload TLS certificate files.

  • You must have SSH access and root access to your Graylog server(s).

  • The Graylog server(s) will require corresponding private key and public key certificate files to enable secure communication between Graylog, web browsers, and log collectors.

  • We strongly recommend you have familiarity with OpenSSL commands as the following example commands are tailored for use with OpenSSL, which is typically installed by default on Linux devices.

Highlights

The following highlights provide a summary of the key takeaways from this article:

  • Graylog requires two key files: a public key certificate (public.pem), which is used for encryption, and a private key (private.key), which is used to decrypt the data received.

  • If your certificate is in PFX format, you must convert it to PEM and extract the public key, private key, and certificate chain, preferably using OpenSSL.

  • Secure the private key and certificate files appropriately.

  • TLS certificates rely on trusted Certificate Authorities (CAs). If using a Private CA, you must manually import its Root CA certificate into the system.

  • You must modify the Graylog service (graylog-server) and Graylog server (server.conf) configuration files to enable Graylog as a truststore.

Chain of Trust

TLS certificates are validated through a chain of trust. For a client (e.g. a web browser) to trust a server’s certificate, it must recognize the issuing Certificate Authority (CA).

Devices come preloaded with Root Certificates from trusted public CAs, enabling automatic trust in certificates issued by them.

Private CAs, such as Microsoft Active Directory Certificate Services, issue certificates for internal networks; however, devices must manually import and configure private CA root certificates to establish trust, unlike public CA-signed certificates, which are trusted by default.

Public Key and Private Key

In order for TLS encryption to function, a web server, such as Graylog’s web interface, must be configured to use 2 different certificates:

  • Public Key

  • Private Key

When a client, such as a web browser, connects to a web server using TLS/HTTPS, the web server sends the client its public key. The client can then use this public key to encrypt any traffic sent to the web server. In order to decrypt this traffic, the corresponding private key must be used. Only the web server has access to this private key.

Extract the PFX Certificate File

A PFX certificate (Personal Information Exchange) is a file format used to store and transport cryptographic keys and certificates securely. It typically has a .pfx extension.

If your certificate is a single file, such as a .pfx file, you will need to convert the certificate to the correct format. A .pfx certificate contains both the public and private keys needed for TLS encryption.

Hint: If you already have separate certificate files for your private key and public key, you can proceed to Verify Your Public Key Certificate File.

Before extracting, you can view the contents of the .pfx file for verification. Use the following OpenSSL command and replace filename.pfx with the applicable file path and name for your .pfx certificate file:

Copy 
openssl pkcs12 -info -in filename.pfx

Extract Separate Public and Private Keys

To extract the public and private keys separately from the .pfx file, follow the steps below:

  1. Extract the entire key pair (both public and private key) from the .pfx file. You will be prompted to input the password used to encrypt the .pfx file:

    Copy 
    openssl pkcs12 -in filename.pfx -nocerts -nodes -out keypair.key

  2. Extract only the private key and convert it to PKCS#8 format. You will be asked to input a new password to encrypt the private key file:

    Copy 
    openssl pkcs8 -in keypair.key -topk8 -out private.key

  3. Now, extract only the public key certificate. You will again be prompted to input the initial password used to encrypt the .pfx file:

    Copy 
    openssl pkcs12 -in filename.pfx -clcerts -nokeys -out public.text.pem

  4. Remove the extra text from extracted public key certificate:

    Copy 
    openssl x509 -in public.text.pem -out public.cert.pem

  5. Extract all the certificates in the chain, including the root CA and intermediate certificates:

    Copy 
    openssl pkcs12 -in filename.pfx -cacerts -chain -nokeys -out public.chain.text.pem

  6. Remove the extra text from the extracted certificate chain:

    Copy 
    openssl x509 -in public.chain.text.pem -out public.chain.pem

  7. Merge the public certificate and certificate chain into a single file:

    Copy 
    cat public.cert.pem public.chain.pem > public.pem

Verify Your Public Key Certificate File

Now, review your public key to verify it is the correct format, which is PEM (Privacy-Enhanced Mail) format. Additionally, the public certificate must start with

-----BEGIN CERTIFICATE-----

and end with

-----END CERTIFICATE-----

These markers define the start and end of the certificate block.

Also note it is common for the public key certificate file to contain more than one block of text that represents the certificate. This is referred to as the certificate chain and includes the public keys of all certificates.

The hierarchy typically looks like this:

  • Root CA Certificate: The highest level of trust.

    • Intermediate CA Certificate: Acts as a middle layer between the Root CA and the end-user certificate.

      • Issued Certificate: The certificate issued for a specific domain (e.g. myexample.com).

Or, for example:

Copy 
-----BEGIN CERTIFICATE-----
(Base64-encoded Root CA certificate)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Base64-encoded Intermediate CA certificate)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Base64-encoded Issued Certificate - mydomain.tld)
-----END CERTIFICATE-----

Verify Your Private Key Certificate File

Graylog only supports PKCS#8 private keys with PEM encoding. To verify this, determine whether the private key starts with

-----BEGIN ENCRYPTED PRIVATE KEY-----

If the private key starts with

-----BEGIN PRIVATE KEY----- (unencrypted PKCS#8)

or

-----BEGIN RSA PRIVATE KEY----- (PKCS#1)

then you will need to convert the format of the certificate to PKCS#8 using the following command:

Copy 
openssl pkcs8 -in privkey.pem -topk8 -out privkey.pkcs8.pem

After completing the conversion, rename the old and new private key files to denote which is in the correct format:

Copy 
sudo mv privkey.pem privkey.pem.origsudo mv privkey.pkcs8.pem privkey.key

Prepare Your Certificate Files

Before importing your certificates, you need to organize and store them appropriately.

  1. On your Graylog server(s), create the following directory. Note this is an example directory and may be customized to your requirements: 

    Copy 
    sudo mkdir -p /opt/graylog/tls/

  2. Upload your certificate files to this directory (for example, using SFTP via FileZilla). Depending on your Linux distribution, you may need to first upload your certificate files to your home directory and then copy the files to the above path.

    For example, your public key may be uploaded as indicated:

    Copy 
    sudo cp ~/public.pem /opt/graylog/tls/

    And your private key:

    Copy 
    sudo cp ~/private.key /opt/graylog/tls/

Set Certificate File Ownership and Permissions

Hint: This section assumes that you installed Graylog via an operating system package and that the graylog-server process(es) are running as user graylog.

Setting the ownership of the certificate files, as well as setting the permissions of these files, is important as Graylog must have access to these files in order to serve pages via HTTPS and this prevents unauthorized or unwanted access to your certificate’s private key file. To set file ownership and adjust permissions settings:

  1. Set the files' owner as the user graylog

    Copy 
    sudo chown graylog:graylog /opt/graylog/tls/*

  2. Set the permissions of the certificate private key so that no other user can read the contents:

    Copy 
    sudo chmod 600 /opt/graylog/tls/private.key

  3. Set the permissions of certificate public key file, allowing any user to read the file but only the owner to modify it:

    Copy 
    sudo chmod 644 /opt/graylog/tls/public.pem

Copy the Existing Java Root Certificates

As discussed previously, in order for a device or web client to trust a TLS certificate, it must trust the Root Certificates that signed and issued it. For Java applications, such as Graylog, the Java Key Store is used.

To make a copy of your existing Java root certificates store (cacerts), follow the steps below:

Hint: Graylog includes a bundled OpenJDK, which means it is possible to install Graylog without installing OpenJDK. Where you will need to copy the cacerts file from depends on whether or not you have OpenJDK separately installed.

  1. Verify whether you have an OpenJDK installation separate from Graylog:

    Copy 
    ls /usr/lib/jvm/

    If this returns a value, then you do have OpenJDK installed separately. If it does not return a value, then you do not have OpenJDK installed.

    Warning: If there is no folder for jvm, you may get an error such as: ls: cannot access ‘/usr/lib/jvm/’: No such file or directory.

  2. If you do have OpenJDK installed:

    1. Find the current home path for Java and save it as a variable:

      Copy 
      tmpjavahome=$(java -XshowSettings:properties -version 2>&1 > /dev/null | grep 'java.home' | grep '/.*' -o)

    2. Make a copy of the default Java cacerts file:

      Copy 
      cp $tmpjavahome/lib/security/cacerts /etc/graylog/graylog.jks

  3. If you do not have OpenJDK installed, you must use the bundled OpenJDK cacerts file:

    1. Copy the cacerts file from the graylog-server file: 

      Copy 
      sudo cp /usr/share/graylog-server/jvm/lib/security/cacerts /etc/graylog/graylog.jks

    2. Set owner of the cacerts file to the graylog user:

      Copy 
      sudo chown graylog:graylog /etc/graylog/graylog.jks

Import the Certificate Files into the Java Key Store

Now you will import the public certificates from your Private Certificate Authority (CA) into the Java Key Store.

  1. Recall that certificates must be in PEM format (Base64-encoded ASCII) and not in DER format (binary). To convert a DER format certificate to PEM format:

    Copy 
    sudo openssl x509 -inform der -in enterpriseRootCA.cer -out enterpriseRootCA.pem

  2. Import the Root CA and Intermediate certificates:

    Copy 
    sudo keytool -importcert -keystore /etc/graylog/graylog.jks -storepass changeit -alias cachain -file  /etc/graylog/enterpriseRootCA.pem

  3. Repeat the above step for all Root and Intermediate CAs. For example, if you have a private Root CA that issues certificates to a Sub CA, add both the Root CA and Sub CA public certificates to the Java Key Store.

Configure Graylog

Once your Java Key Store file has the required certificates imported, you can configure Graylog to use it as a truststore. You will need to configure both the Graylog service file and the Graylog server file. For more information on these files, including their default locations, see Configuration Settings.

Configure the Graylog Service File

Hint: The file graylog-server is found by default at /etc/graylog/.

Modify the Graylog service file to add the following information to the line starting with GRAYLOG_SERVER_JAVA_OPTS:

Copy 
-Djavax.net.ssl.trustStore=/etc/graylog/graylog.jks

The line in the service file should look like the following when compete: 

Copy 
GRAYLOG_SERVER_JAVA_OPTS="-Xms8g -Xmx8g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/graylog.jks"

Configure the Graylog Server File

Now that you have valid certificate files, and they are prepared and located in the appropriate directory, you can modify your Graylog server server.conf configuration file to configure HTTPS/TLS. For information on this configuration file, including how to modify it, see Graylog Server Configuration.

Hint: By default, this file is located at: /etc/graylog/server/server.conf.

  1. Enable TLS by setting by adjusting the following property to true

    Copy 
    http_enable_tls = true

  2. Add the X.509 certificate chain file in PEM format to use for securing the HTTP interface:

    Copy 
    http_tls_cert_file = /opt/graylog/tls/public.pem

  3. Add the PKCS#8 private key file in PEM format to use for securing the HTTP interface:

    Copy 
    http_tls_key_file = /opt/graylog/tls/private.key

  4. Add the password to unlock the private key used for securing the HTTP interface. Do not enclose the password in quotation marks:

    Copy 
    http_tls_key_password = thePasswordGoesHere

  5. After making all changes, restart the Graylog service to apply the configuration: 

    Copy 
    sudo systemctl restart graylog-server

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: