I recently implemented the ELK Stack solution to centralise logs from several devices. It works very well when I send my logs over UDP, but I'm having a few problems encrypting the logs.
Here are some of my logstash inputs :
input {
udp {
type => "log-fortinet"
host => "10.7.7.101"
port => 5140
}
tcp {
type => "log-fortinet"
host => "10.7.7.101"
port => 5140
ssl_enable => true
ssl_cert => "/etc/ssl/logstash/logstash-cert.crt"
ssl_key => "/etc/ssl/logstash/logstash-key.key"
ssl_verify => "false"
dns_reverse_lookup_enabled => false
}
}
Here is the configuration on the FortiGate:
show full-configuration
config log syslogd setting
set status enable
set server "10.7.7.101"
set mode reliable
set port 5140
set facility local7
set source-ip ''
set format default
set priority default
set max-log-rate 0
set enc-algorithm high
set ssl-min-proto-version default
set certificate ''
set interface-select-method auto
end
And here is the error message : [ERROR] 2023-10-13 12:30:49.296 [nioEventLoopGroup-2-1] tcp - null: closing due: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
I work on Ubuntu 22.04.3 LTS
java --version openjdk 11.0.20.1 2023-08-24 OpenJDK Runtime Environment (build 11.0.20.1+1-post-Ubuntu-0ubuntu122.04) OpenJDK 64-Bit Server VM (build 11.0.20.1+1-post-Ubuntu-0ubuntu122.04, mixed mode, sharing)
Hope that someone can help me.