I'm looking to send GELF (Graylog Extended Log Format) log messages from a logstash instance to Graylog. But since the GELF output in logstash does not support TLS I want to use stunnel to encrypt the communication instead.
I have set up a test environment which consists of two stunnels, one client and one server and just a netcat which emulates the receiving end (eventually Graylog). However when I have configured everything and send messages through stunnel, the first data packet is lost. I have captured the traffic using tshark and can see that the data is sent from the source to stunnel, but stunnel just responds with RST and the packet is nowhere to be found, but the second data packet is delivered just fine.
I have tried to connect the stunnel client to an stunnel server, graylog, HAProxy but there is always packet loss.
Stunnel client
verify = 0
chroot = /usr/local/var/run/stunnel/
pid = /stunnel.pid
setuid = nobody
setgid = nobody
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = stunnel.log
client = yes
[test]
accept = 3333
connect = <server>:7777
Stunnel server
cert = /etc/stunnel/stunnel.pem
verify = 0
chroot = /usr/local/var/run/stunnel/
pid = /stunnel.pid
setuid = nobody
setgid = nobody
[test]
accept = 7777
connect = 4445
logstash conf
input {
syslog {
port => 10514
}
}
output {
gelf {
host => "localhost"
port => 3333
protocol => TCP
}
}
I test it all using:
loggen --rate 1 --interval 1 localhost 10514
Edit
Tshark of the communication:
No. Time Source Destination Protocol Length Info
1 0.000000000 127.0.0.1 127.0.0.1 TCP 883 47016 → 3333 [PSH, ACK] Seq=1 Ack=1 Win=342 Len=815 TSval=193491 TSecr=160751
No. Time Source Destination Protocol Length Info
2 0.000028908 127.0.0.1 127.0.0.1 TCP 56 3333 → 47016 [RST] Seq=1 Win=0 Len=0
No. Time Source Destination Protocol Length Info
3 1.019395050 127.0.0.1 127.0.0.1 TCP 76 47040 → 3333 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=194510 TSecr=0 WS=128
No. Time Source Destination Protocol Length Info
4 -1525790179.613104197 127.0.0.1 127.0.0.1 TCP 76 3333 → 47040 [SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=194510 TSecr=194510 WS=128
No. Time Source Destination Protocol Length Info
5 1.019427365 127.0.0.1 127.0.0.1 TCP 68 47040 → 3333 [ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=194510 TSecr=194510
No. Time Source Destination Protocol Length Info
6 1.019725293 127.0.0.1 127.0.0.1 TCP 883 47040 → 3333 [PSH, ACK] Seq=1 Ack=1 Win=43776 Len=815 TSval=194510 TSecr=194510
No. Time Source Destination Protocol Length Info
7 1.019733354 127.0.0.1 127.0.0.1 TCP 68 3333 → 47040 [ACK] Seq=1 Ack=816 Win=45440 Len=0 TSval=194510 TSecr=194510
[
Thanks!