Implement TLS support for the GelfWriter feature

[mcktr]

This implements TLS support for the GelfWriter feature.

Test

I used the Icinga 2 Vagrant box with Graylog from icinga-vagrant. But I only used the Graylog instance from there, the Icinga 2 daemon ran directly on my notebook computer.

Create CA

openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -extensions v3_ca -key ca.key -days 1024 -out ca.crt -sha512

Generate certificate for Graylog (server)

openssl genrsa -out graylog-server.key 4096
openssl req -new -key graylog-server.key -out graylog-server.csr -sha512
openssl x509 -req -in graylog-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out graylog-server.crt -days 365 -sha512

Generate certificate for Icinga 2 (client)

openssl genrsa -out icinga2-client.key 4096
openssl req -new -key icinga2-client.key -out icinga2-client.csr -sha512
openssl x509 -req -in icinga2-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out icinga2-client.crt -days 365 -sha512

I copied ca.crt, icinga2-client.key and icinga2-client.crt to my machine, since the Icinga 2 daemon runs there.

Create new Gelf Input with TLS

bind_address: 0.0.0.0
decompress_size_limit: 8388608
max_message_size: 2097152
override_source: <empty>
port: 12202
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /srv/graylog/graylog-server.crt
tls_client_auth: required
tls_client_auth_cert_file: /srv/graylog/ca.crt
tls_enable: true
tls_key_file: /srv/graylog/graylog-server-pkcs8.key
tls_key_password: ********
use_null_delimiter: true

Activate and configure GelfWriter feature

icinga2 feature enable gelf

vim /usr/local/icinga2/etc/icinga2/features-enabled/gelf.conf

object GelfWriter "gelf" {
  host = "192.168.33.6"
  port = 12202
  source = "icinga2"
  enable_send_perfdata = true
  enable_tls = true
  ca_path = "/srv/ca.crt"
  cert_path = "/srv/icinga2-client.crt"
  key_path = "/srv/icinga2-client.key"
}

Verifying TLS usage

Start the Icinga 2 daemon, verify that the GelfWriter actually writes data.

[2018-12-02 21:21:57 +0100] information/GelfWriter: 'gelf' resumed.
[...]
[2018-12-02 21:22:07 +0100] information/WorkQueue: #5 (GelfWriter, gelf) items: 0, rate: 9.11667/s (547/min 547/5min 547/15min);

Check Graylog.

Graylog receives data.

Verify encryption.

(192.168.33.6 is the ip address of the Graylog VM).

fixes #6152

[dnsmichi]

Cool, thanks. @marcofl owes you a Gin ;-)

[dnsmichi]

Verify that #6989 does not affect this too.

[dnsmichi]

Verify that this works with Graylog 3.

[dnsmichi]

Should use Boost ASIO, blocked by #7010.

[dnsmichi]

Similar code is located in the InfluxDBWriter class in git master, but only for the TLS stream parts.

[dnsmichi]

Boost Asio similar to the other features, the TlsStream class is subject for removal before 2.11 is being released.

[mcktr]

I updated the PR to use Boost Asio for TLS as well as for non TLS connections. I tested this against the Graylog vagrant box from icinga-vagrant (as described above). I still need to test against Graylog 3, once done I'll provide a full test log.

[dnsmichi]

Cool, thank you :-)

[dnsmichi]

I'm rewriting other parts in the core right now, let's just stick with the final implemention here and if Graylog 3 doesn't work, we'll fix it later. Same goes for ES7 in another ticket. I need these changes in my branch ;)

Thanks for your work 👍