Skip to content

Networking

This documentation section is designed to guide you through the process of setting up and managing the networking of TeskaLabs LogMan.io. To ensure seamless functionality, it is important to follow the prescribed network configuration described below.

Network schema

Schema: Network overview of the LogMan.io cluster.

Fronting network

Fronting network is a private L2 or L3 segment that serves for log collection. For that reason, it has to be accessible from all log sources.

Each node (server) has a dedicated IPv4 address on a fronting network. IPv6 is also supported.

Fronting network must be available at all locations of the LogMan.io cluster.

User network

User is a private L2 or L3 segment that serves for a user access to Web User Interface. For that reason, it has to be accessible for all users.

Each node (server) has a dedicated IPv4 address on a user network. IPv6 is also supported.

User network must be available at all locations of the LogMan.io cluster.

Internal network

Internal network is a private L2 or L3 segment that is used for private cluster communication. It MUST BE dedicated to the TeskaLabs LogMan.io with no external access to maintain the security envelope of the cluster. The internal network must provide the encryption if it is operated in the shared environment (ie as VLAN). This is critical requirement for a security of the cluster.

Each node (server) has a dedicated IPv4 address on an internal network. IPv6 is also supported.

Internal network must be available at all locations of the LogMan.io cluster.

Containers running on the node use "network mode" set to "host" on the internal network. It means that container’s network stack is not isolated from the node (host), and the container does not get its own IP address.

Connectivity

Each node (aka server) has following connectivity requirement:

Fronting network

  • Minimal: 1Gbit NIC
  • Recommended: 2x bonded 10Gbit NIC

User network

  • Minimal: shared with the fronting network
  • Recommended: 1Gbit NIC

Internal network

  • Minimal: No NIC, internal only for a single node installations, 1Gbit
  • Recommended: 2x bonded 10Gbit NIC
  • IPMI if available at the server level

Internet connectivity (NAT, Firewalled, behind proxy server) using Fronting network OR Internal network.

SSL Server Certificate

The fronting network and the user network exposes web interfaces over HTTPS on the port TCP/443. For this reason, the LogMan.io needs an SSL Server certificate.

It could be either:

  • self-signed SSL server certificate
  • SSL server certificate issued by the Certificate Authority operated internally by the user
  • SSL server certificate issued by a public (commercial) Certificate Authority

Tip

You can use XCA tool to generate or verify your SSL certificates.

Self-signed certificate

This option is suitable for very small deployments. Users will get warnings from thier browsers when accessing LogMan.io Web interface. Also insecure flags needs to be used in collectors.

Create a self-signed SSL certificate using OpenSSL command-line

openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
  -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes \
  -subj "/CN=logman.int"

This command will create key.pem (a private key) and cert.pem (a certificate), for internal domain name logman.int.

Certificate from Certificate Authority

Parameters for the SSL Server certificate:

  • Private key: EC 384 bit, curve secp384p1 (minimum), alternatively RSA 2048 (minimum)
  • Subject Common name CN: Fully Qualified Domain Name of the LogMan.io user Web UI
  • X509v3 Subject Alternative Name: Fully Qualified Domain Name of the LogMan.io user Web UI set to "DNS"
  • Type: End Entity, critical
  • X509v3 Subject Key Identifier set
  • X509v3 Authority Key Identifier set
  • X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
  • X509v3 Extended Key Usage: TLS Web Server Authentication

Example of SSL Server certificate for http://logman.example.com/

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6227131463912672678 (0x566b3712dc2c4da6)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = logman.example.com
        Validity
            Not Before: Nov 16 11:17:00 2023 GMT
            Not After : Nov 15 11:17:00 2024 GMT
        Subject: CN = logman.example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:79:e2:9f:69:cb:ac:f5:3f:93:43:56:a5:ac:d7:
                    cf:97:f9:ba:44:ee:9b:53:89:19:fd:91:02:0d:bd:
                    59:41:d6:ec:c6:2b:01:33:03:b6:3e:4a:1d:f4:e9:
                    2c:3f:af:49:92:79:9c:00:0b:0b:e3:28:7b:13:33:
                    b4:ac:88:d7:9c:0a:7b:95:90:09:a2:f7:aa:ce:7c:
                    51:3e:3a:94:af:a8:4b:65:4f:82:90:6a:2f:a9:57:
                    25:6f:5f:80:09:4c:cb
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                49:7A:34:F8:A6:EB:6D:8E:92:42:57:BB:EB:2D:B3:82:F4:98:9D:17
            X509v3 Authority Key Identifier:
                49:7A:34:F8:A6:EB:6D:8E:92:42:57:BB:EB:2D:B3:82:F4:98:9D:17
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:logman.example.com
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:64:02:30:16:09:95:f4:04:1b:99:f4:06:ef:1e:63:4e:aa:
        1d:21:b0:b1:31:c1:84:9a:a9:55:c6:14:bd:a1:62:c5:14:14:
        35:73:da:8b:a8:7b:f2:f6:4c:8c:b0:6b:72:79:5f:4c:02:30:
        49:6f:ef:05:0f:dd:28:fb:26:f8:76:71:01:f3:e4:da:63:72:
        17:db:96:fb:5c:09:43:f8:7b:3b:a1:b6:dc:23:31:66:5d:23:
        18:94:0b:e4:af:8b:57:1e:c3:3d:93:6f

Generate a CSR

If the Certificate Authority requires CSR to be submitted to receive a SSL certificate, follow this procedure:

1. Generate a private key:

openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out key.pem

This command will create key.pem with the private key.

2. Create CSR using generated private key:

openssl req -new -key key.pem -out csr.pem -subj "/CN=logman.example.com"

This command will produce csr.pem file with that Certificate Signing Request.

Replace logman.example.com with the FQDN (domain name) of the LogMan.io deployment.

3. Submit the CSR to a Certificate Authority

The Certificate Authority will generate a certificate, store it in a cert.pem in a PEM format.