topic Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog in Panorama Discussions

Paloalto TLS/SSL error while forwarding logs over TLS Syslog

vasanthakumaran.chandran — Thu, 09 May 2024 14:17:35 GMT

PKCS12 Certificate and Password generated from Paloalto is used at syslog server to establish connection between both system and used to decrypt the logs. However after establishing the connection the ssl handshake is broken and we see below error.

Syslog SSL error while writing stream; tls_error='rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding'. location='/opt/pancfg/mgmt/syslogng/pan_sysng,cfg:59:3'

Kindly help to understand this error, is it anything related to the certificate generated or do we have any other checklist to fix this issue.

Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog

Claw4609 — Thu, 09 May 2024 14:25:56 GMT

Hello,

Its possible its showing the incorrect error in relation to this bug ID:

PAN-241772	Fixed an issue where, when TLSv1.3 was used, an incorrect error message invalid padding was displayed instead of the expected error message Invalid server certificate .

The certificate used for secure syslog on the firewall needs to have the CN set as the IP address of the interface that it is using to send the secure syslog information. Is this the case in your setup? And are you using a self-signed certificate, if so does wherever you're logging syslog data to trust this certificate?

How To Setup Syslog Monitoring Over TLS - Knowledge Base - Palo Alto Networks

Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog

vasanthakumaran.chandran — Fri, 10 May 2024 05:28:48 GMT

Hi,

We are using TLSv1.2, is this also having incorrect error message issue?.

And CN ip address used is the Firewall interface IP, also the self-signed certificate is imported to the syslog server still we are not able to fix this error.

Syslog SSL error while writing stream; tls_error='rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding'. location='/opt/pancfg/mgmt/syslogng/pan_sysng,cfg:59:3'

Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog

Claw4609 — Fri, 10 May 2024 14:25:25 GMT

What version of Pan-os are you using? We've got secure syslog setup and I personally havent received that error before. What happens if you generate a different cert and try that? To confirm, do you have the "Certificate for Secure Syslog" checked on the cert

Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog

vasanthakumaran.chandran — Fri, 10 May 2024 14:47:00 GMT

pan os 10.2.8-h3 is the version. Yes we followed the guide How To Setup Syslog Monitoring Over TLS - Knowledge Base - Palo Alto Networks and "Certificate for Secure Syslog" checked on the cert. Also tried with different cert couple of time as well.

We have onboarded 3 more firewalls folowing the guide and no issues. Only this firewall is having error.

Attached the error for reference.

Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog

pvootla — Thu, 23 Jan 2025 19:07:58 GMT

Hi Vasanth, I am facing similar issue.. were you able to figure out what was wrong in your case?

Re: Paloalto TLS/SSL error while forwarding logs over TLS Syslog

vasanthakumaran.chandran — Thu, 23 Jan 2025 19:23:02 GMT

No help even from palo alto support team, so using normal syslog for log collection