Calyptia Core Agent
Support Portal
24.4
24.4
  • Calyptia Core Agent Documentation
  • Comparison to Fluent Bit
  • Performance and Benchmarking
  • Concepts
    • Key Concepts
    • Buffering
    • Data Pipeline
      • Input
      • Parser
      • Filter
      • Buffer
      • Router
      • Output
  • Installation
    • Getting Started with Calyptia Core Agent
    • Supported Platforms
    • Linux
      • RHEL-based
      • Debian-based
    • Docker
    • Kubernetes
    • macOS
    • Windows
  • Administration
    • Configuring Calyptia Core Agent
      • Classic mode
        • Format and Schema
        • Configuration File
        • Variables
        • Commands
        • Upstream Servers
        • Record Accessor
      • YAML Configuration File
      • Unit Sizes
      • Multiline Parsing
    • Transport Security
    • Buffering & Storage
    • Backpressure
    • Scheduling and Retries
    • Networking
    • Memory Management
    • Monitoring
    • HTTP Proxy
    • Hot Reload
    • Troubleshooting
  • Local Testing
    • Validating your Data and Structure
    • Running a Logging Pipeline Locally
  • Data Pipeline
    • Inputs
      • Collectd
      • CPU Log Based Metrics
      • Disk I/O Log Based Metrics
      • Docker Log Based Metrics
      • Docker Events
      • Dummy
      • Elasticsearch
      • Exec
      • Exec Wasi
      • Fluent Bit Metrics
      • Forward
      • Head
      • HTTP
      • Kafka
      • Health
      • Kernel Logs
      • Memory Metrics
      • MQTT
      • Network I/O Log Based Metrics
      • NGINX Exporter Metrics
      • Node Exporter Metrics
      • Podman Metrics
      • Process Log Based Metrics
      • Prometheus Scrape Metrics
      • Random
      • Serial Interface
      • Standard Input
      • StatsD
      • Syslog
      • Systemd
      • Tail
      • TCP
      • Thermal
      • OpenTelemetry
      • Windows Event Log
      • Windows Event Log (winevtlog)
      • Windows Exporter Metrics
    • Parsers
      • Configuring Parser
      • JSON
      • Regular Expression
      • LTSV
      • Logfmt
      • Decoders
    • Filters
      • AWS Metadata
      • CheckList
      • ECS Metadata
      • Expect
      • GeoIP2 Filter
      • Grep
      • Kubernetes
      • Log to Metrics
      • Lua
      • Parser
      • Record Modifier
      • Modify
      • Multiline
      • Nest
      • Nightfall
      • Rewrite Tag
      • Standard Output
      • Throttle
      • Tensorflow
      • Wasm
    • Outputs
      • Amazon CloudWatch
      • Amazon Kinesis Data Firehose
      • Amazon Kinesis Data Streams
      • Amazon S3
      • Azure Blob
      • Azure Data Explorer
      • Azure Log Analytics
      • Counter
      • Datadog
      • Elasticsearch
      • File
      • FlowCounter
      • Forward
      • GELF
      • Google Cloud BigQuery
      • HTTP
      • InfluxDB
      • Kafka
      • Kafka REST Proxy
      • LogDNA
      • Loki
      • NATS
      • New Relic
      • NULL
      • Observe
      • OpenSearch
      • OpenTelemetry
      • PostgreSQL
      • Prometheus Exporter
      • Prometheus Remote Write
      • SkyWalking
      • Slack
      • Splunk
      • Stackdriver
      • Standard Output
      • Syslog
      • TCP & TLS
      • Treasure Data
      • Vivo Exporter
      • WebSocket
  • Calyptia Core Agent for Developers
    • Golang Output Plugins
    • WASM Filter Plugins
    • WASM Input Plugins
Powered by GitBook
On this page
  • Compatible plugins
  • Example: Enable TLS on HTTP input
  • Example: Enable TLS on HTTP output
  • Tips and tricks
  • Generate your own self signed certificates for testing purposes.
  • Connect to virtual servers using TLS
  1. Administration

Transport Security

Calyptia Core Agent provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.

Both input and output plugins that perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:

Property
Description
Default

tls

Enables or disables TLS support.

Off

tls.verify

If enabled, forces certificate validation.

On

tls.debug

Sets TLS debug verbosity level. Possible values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational), 4 (Verbose)

1

tls.ca_file

The absolute path to the TLS certificate from your certificate authority (CA).

tls.ca_path

The absolute path to scan for certificate files.

tls.crt_file

The absolute path to your certificate file.

tls.key_file

The absolute path to your private key file.

tls.key_passwd

The optional password for the file specified by tls.key_file.

tls.vhost

The hostname to use for the TLS Server Name Indication (SNI) extension.

tls.ciphers

tls.max_version

Specifies the maximum TLS version. In most environments, the supported values are TLSv1.3 and TLSv1.2. In CentOS version 7 and earlier, the supported values are TLSv1, TLSv1.1, and SSLv3.

tls.min_version

Specifies the minimum TLS version. In most environments, the supported values are TLSv1.3 and TLSv1.2. In CentOS version 7 and earlier, the supported values are TLSv1, TLSv1.1, and SSLv3.

The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.

To use TLS for input plugins, you must provide both a certificate and private key.

Compatible plugins

The following input plugins offer TLS support:

The following output plugins offer TLS support:

In addition, the following filter offers limited TLS support:

Example: Enable TLS on HTTP input

By default HTTP input plugin uses plain TCP, enabling TLS from the command line can be done with:

./bin/fluent-bit -i http \
           -p port=9999 \
           -p tls=on \
           -p tls.verify=off \
           -p tls.crt_file=self_signed.crt \
           -p tls.key_file=self_signed.key \
           -o stdout \
           -m '*'

In the previous command line, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

[INPUT]
    name http
    port 9999
    tls on
    tls.verify off
    tls.crt_file self_signed.crt
    tls.key_file self_signed.key

[OUTPUT]
    Name       stdout
    Match      *

Example: Enable TLS on HTTP output

By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:

$ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \
    -p tls=on         \
    -p tls.verify=off \
    -m '*'

In the previous command line, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).

The same behavior can be accomplished using a configuration file:

[INPUT]
    Name  cpu
    Tag   cpu

[OUTPUT]
    Name       http
    Match      *
    Host       192.168.2.3
    Port       80
    URI        /something
    tls        On
    tls.verify Off

Tips and tricks

Generate your own self signed certificates for testing purposes.

This will generate a 4096 bit RSA key pair and a certificate that is signed using SHA-256 with the expiration date set to 30 days in the future, test.host.net set as common name and since we opted out of DES the private key will be stored in plain text.

openssl req -x509 \
            -newkey rsa:4096 \
            -sha256 \
            -nodes \
            -keyout self_signed.key \
            -out self_signed.crt \
            -subj "/CN=test.host.net"

Connect to virtual servers using TLS

[INPUT]
    Name  cpu
    Tag   cpu

[OUTPUT]
    Name        forward
    Match       *
    Host        192.168.10.100
    Port        24224
    tls         On
    tls.verify  On
    tls.ca_file /etc/certs/fluent.crt
    tls.vhost   fluent.example.com
PreviousMultiline ParsingNextBuffering & Storage

Last updated 5 months ago

Specifies .

Calyptia Core Agent supports . If you are serving multiple hostnames on a single IP address (also known as virtual hosting), you can make use of tls.vhost to connect to a specific hostname.

MQTT
TCP
HTTP
OpenTelemetry
Amazon CloudWatch
Amazon Kinesis Data Firehose
Amazon Kinesis Data Streams
Amazon S3
Azure
BigQuery
Datadog
Elasticsearch
Forward
GELF
HTTP
InfluxDB
Kafka REST Proxy
Loki
Slack
Splunk
Stackdriver
Syslog
TCP & TLS
Treasure Data
Kubernetes
TLS server name indication
OpenSSL ciphers