Graylog2-server: SSL/TLS for Kafka inputs

Would be highly appreciated to fulfill regulatory and compliance requirements!

Best regards

@tokred sorry I didn't understand what you mean

@k1-hedayati I think @tokred simply wants to express some approval of this feature request.

So I guess this doesn't evolve me, ok :)

+1

@joschi I have worked with a few other devs on upgrading Kafka to 1.0.1 and have it successfully working. This allows users to enable/disable SSL/TLS. As I am looking to make a PR to master branch for this so you all can enjoy the benefits as well. Is backwards capability a requirement? Or is it more of a it would be nice to have. From version 9 to 1.01 there was a lot of deprecated API calls, so adding backwards capability may take a lot more work.

@pbr0ck3r Unfortunately it's not that easy since Graylog is using Kafka's journal implementation for its own message journal (see KafkaJournal) and Kafka 0.10.x and later broke backwards-compatibility with it.

This being said, keeping Kafka 0.9.x in Graylog and adding a new Kafka transport using the newer Kafka Java client libraries could work.

@joschi I have kafka 1.0.1 working and have modified the KafkaJournal. If I submitted this code in a PR would it be most likely accepted for 3.0?

I have kafka 1.0.1 working and have modified the KafkaJournal.

@pbr0ck3r Does it still support reading journal segments written with the old version?

I will make sure that older Journal versions can still be read. Assuming that I can include that functionality would that be sufficient for core graylog?

Assuming that I can include that functionality would that be sufficient for core graylog?

Yes, definitely.

Awesome! Thanks for the feedback!

You can also use stunnel to terminate the TLS:

```cert = your_cert.pem
key = your_cert.key
client = yes

foreground = yes

sslVersion = TLSv1.2
ciphers = HIGH

[kafka]
accept = 127.0.0.1:9092
connect = kafka01.example.com:9492
```

However, I ended up writing a small proxy which provides backpressure by checking Graylog's embedded Kafka queue size and throttling input from the external Kafka server, so I'm not actually using this in production. It did seem to work, but it required direct access to ZooKeeper for what appears to be an old-style consumer that stores offset in ZK.

@joschi is the only backwards compatibility that you all are looking for is that the new kafka code would be able to read older kafka journals? Currently write now I have kafka on my dev environment is upgraded to 1.0.1 and you can create inputs with SSL and non-SSL and messages flow into GL fine. I am running a kafka 1.0.1 server. Would you expect that when this is merged into graylog that users would need to update their kafka instances? Just looking for what your expectations of backwards compatibility are. Thank you.

Ability to use SSL is added in this PR https://github.com/Graylog2/graylog2-server/pull/4770