https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/556953#M5099 <P>Hi, I'm trying to configure my TLS enabled Syslog server in Cortex but not successful. I'm always getting "<SPAN>Test failed : Certificate Verification Failed". When I tick the "Ignore certificate errors", the error disappears and one syslog message is received successfully but getting errors after that. Can you please help me figure this out?&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Syslog output:</SPAN></P> <LI-CODE lang="markup">Sep 7 12:10:01 syslogtest rsyslogd: unexpected GnuTLS error -110 in nsd_gtls.c:588: The TLS connection was non-properly terminated. [v8.2112.0 try https://www.rsyslog.com/e/2078 ] Sep 7 12:10:01 syslogtest rsyslogd: netstream session 0x7f50900098e0 from 34.90.105.250 will be closed due to error [v8.2112.0 try https://www.rsyslog.com/e/2078 ] Sep 7 09:10:08 cortexxdr - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 3.7.0|XDR Agent|Example Cortex XDR Alert|0|end=1581471661000 shost=3D4WRQ2 suser=acme\\user deviceFacility=None cat=Restrictions externalId=11148 request=https://gan.xdr.eu.paloaltonetworks.com/alerts/11148 cs1=example.exe cs1Label=Initiated by cs2=example.exe cs2Label=Initiator CMD cs3=SIGNATURE_SIGNED-Microsoft Corporation cs3Label=Signature cs4=cmd.exe cs4Label=CGO name cs5=C:\\this\\is\\example.exe /c ""\\\\host1\\files\\example.bat" " cs5Label=CGO CMD cs6=SIGNATURE_SIGNED-Microsoft Corporation cs6Label=CGO Signature fileHash=BBBBBBBE8A5E66AC3C693F9B5D3762805CF2D8F1283291AF38321FC619B23115 targetprocesssignature=SIGNATURE_UNAVAILABLE-N/A tenantname=GAN tenantCDLid=2003685740608 CSPaccountname=Vg Estonia Ou initiatorSha256=BBBBBBBE8A5E66AC3C693F9B5D3762805CF2D8F1283291AF38321FC619B23115 cgoSha256=AAAAAAc4a0b7eb191783c323ab8363ebd1fd10be58d8bcc96b07067743ca81d5 act=Detected (Reported) Sep 7 12:10:09 syslogtest rsyslogd: unexpected GnuTLS error -110 in nsd_gtls.c:588: The TLS connection was non-properly terminated. [v8.2112.0 try https://www.rsyslog.com/e/2078 ] Sep 7 12:10:09 syslogtest rsyslogd: netstream session 0x7f509000e610 from 34.90.105.250 will be closed due to error [v8.2112.0 try https://www.rsyslog.com/e/2078 ]</LI-CODE> <P>&nbsp;</P> <P>Syslog Config:</P> <LI-CODE lang="markup">global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.pem" DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/server-cert.pem" DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem" ) module( load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) input(type="imtcp" port="6514")</LI-CODE> <P>&nbsp;</P> Thu, 07 Sep 2023 09:21:53 GMT Isuru 2023-09-07T09:21:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/556953#M5099 <P>Hi, I'm trying to configure my TLS enabled Syslog server in Cortex but not successful. I'm always getting "<SPAN>Test failed : Certificate Verification Failed". When I tick the "Ignore certificate errors", the error disappears and one syslog message is received successfully but getting errors after that. Can you please help me figure this out?&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Syslog output:</SPAN></P> <LI-CODE lang="markup">Sep 7 12:10:01 syslogtest rsyslogd: unexpected GnuTLS error -110 in nsd_gtls.c:588: The TLS connection was non-properly terminated. [v8.2112.0 try https://www.rsyslog.com/e/2078 ] Sep 7 12:10:01 syslogtest rsyslogd: netstream session 0x7f50900098e0 from 34.90.105.250 will be closed due to error [v8.2112.0 try https://www.rsyslog.com/e/2078 ] Sep 7 09:10:08 cortexxdr - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 3.7.0|XDR Agent|Example Cortex XDR Alert|0|end=1581471661000 shost=3D4WRQ2 suser=acme\\user deviceFacility=None cat=Restrictions externalId=11148 request=https://gan.xdr.eu.paloaltonetworks.com/alerts/11148 cs1=example.exe cs1Label=Initiated by cs2=example.exe cs2Label=Initiator CMD cs3=SIGNATURE_SIGNED-Microsoft Corporation cs3Label=Signature cs4=cmd.exe cs4Label=CGO name cs5=C:\\this\\is\\example.exe /c ""\\\\host1\\files\\example.bat" " cs5Label=CGO CMD cs6=SIGNATURE_SIGNED-Microsoft Corporation cs6Label=CGO Signature fileHash=BBBBBBBE8A5E66AC3C693F9B5D3762805CF2D8F1283291AF38321FC619B23115 targetprocesssignature=SIGNATURE_UNAVAILABLE-N/A tenantname=GAN tenantCDLid=2003685740608 CSPaccountname=Vg Estonia Ou initiatorSha256=BBBBBBBE8A5E66AC3C693F9B5D3762805CF2D8F1283291AF38321FC619B23115 cgoSha256=AAAAAAc4a0b7eb191783c323ab8363ebd1fd10be58d8bcc96b07067743ca81d5 act=Detected (Reported) Sep 7 12:10:09 syslogtest rsyslogd: unexpected GnuTLS error -110 in nsd_gtls.c:588: The TLS connection was non-properly terminated. [v8.2112.0 try https://www.rsyslog.com/e/2078 ] Sep 7 12:10:09 syslogtest rsyslogd: netstream session 0x7f509000e610 from 34.90.105.250 will be closed due to error [v8.2112.0 try https://www.rsyslog.com/e/2078 ]</LI-CODE> <P>&nbsp;</P> <P>Syslog Config:</P> <LI-CODE lang="markup">global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.pem" DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/server-cert.pem" DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem" ) module( load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) input(type="imtcp" port="6514")</LI-CODE> <P>&nbsp;</P> Thu, 07 Sep 2023 09:21:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/556953#M5099 Isuru 2023-09-07T09:21:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/557049#M5107 <P>Hi <A id="link_7" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/296350" target="_self" aria-label="View Profile of Isuru"><SPAN class="">Isuru</SPAN></A>, thanks for reaching out.</P> <P>Please double check on these steps to make sure you are not missing one and let us know if this helps:&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Integrate-a-Syslog-Receiver" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Integrate-a-Syslog-Receiver</A></P> Thu, 07 Sep 2023 20:46:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/557049#M5107 mavega 2023-09-07T20:46:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/557133#M5110 <P>Yes, I followed the steps correctly. As you can see, I can get one test syslog message to my server, but nothing after that until I restart my rsyslog service.&nbsp;</P> Fri, 08 Sep 2023 07:01:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/557133#M5110 Isuru 2023-09-08T07:01:19Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/557424#M5121 <P>Hi,</P> <P>&nbsp;</P> <P>For <SPAN>&nbsp;"</SPAN><SPAN>Test failed : Certificate Verification Failed"</SPAN>, have you tried any of these:</P> <P>&nbsp;</P> <UL class="itemizedlist"> <LI class="listitem"> <P>Incorrect certificate—to check that the certificate you are uploading corresponds to the server syslog certificate, use the following openssl command.</P> <PRE class="programlisting hljs language-objectivec"><CODE>openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate</CODE></PRE> <P>If the certificate is correct, the result is<SPAN>&nbsp;</SPAN><CODE class="computeroutput hljs language-makefile"><SPAN class="hljs-section">syslog_certificate: OK</SPAN></CODE>.</P> </LI> <LI class="listitem"> <P>Incorrect hostname—make sure that the hostname/ip in the certificate matches the syslog server.</P> </LI> <LI class="listitem"> <P>Certificate chain—If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.</P> <PRE class="programlisting hljs language-bash"><CODE>cat intermediate_cert root_cert &gt; merged_syslog.crt </CODE></PRE> <P>If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.</P> <P>To verify that the chain certificate was saved correctly, use the following openssl command.</P> <PRE class="programlisting hljs language-objectivec"><CODE>openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate</CODE></PRE> <P>If the certificate is correct, the result is<SPAN>&nbsp;</SPAN><CODE class="computeroutput hljs language-makefile"><SPAN class="hljs-section">syslog_certificate: OK</SPAN></CODE>.</P> </LI> </UL> Mon, 11 Sep 2023 21:49:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/557424#M5121 mavega 2023-09-11T21:49:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/575466#M6005 <P>i have the same issue, but for log managment audit &amp; agent audit log the server received, any have done for this case?</P> Fri, 02 Feb 2024 07:38:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/send-alerts-to-syslog-server-with-tls-failing-with-certificate/m-p/575466#M6005 al-westcon 2024-02-02T07:38:01Z