Send alerts to Syslog server with TLS failing with Certificate Verification Failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Send alerts to Syslog server with TLS failing with Certificate Verification Failed

L1 Bithead

Hi, I'm trying to configure my TLS enabled Syslog server in Cortex but not successful. I'm always getting "Test failed : Certificate Verification Failed". When I tick the "Ignore certificate errors", the error disappears and one syslog message is received successfully but getting errors after that. Can you please help me figure this out? 

 

Syslog output:

Sep  7 12:10:01 syslogtest rsyslogd: unexpected GnuTLS error -110 in nsd_gtls.c:588: The TLS connection was non-properly terminated.  [v8.2112.0 try https://www.rsyslog.com/e/2078 ]
Sep  7 12:10:01 syslogtest rsyslogd: netstream session 0x7f50900098e0 from 34.90.105.250 will be closed due to error [v8.2112.0 try https://www.rsyslog.com/e/2078 ]
Sep  7 09:10:08 cortexxdr - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 3.7.0|XDR Agent|Example Cortex XDR Alert|0|end=1581471661000 shost=3D4WRQ2 suser=acme\\user deviceFacility=None cat=Restrictions externalId=11148 request=https://gan.xdr.eu.paloaltonetworks.com/alerts/11148 cs1=example.exe cs1Label=Initiated by cs2=example.exe cs2Label=Initiator CMD cs3=SIGNATURE_SIGNED-Microsoft Corporation cs3Label=Signature cs4=cmd.exe cs4Label=CGO name cs5=C:\\this\\is\\example.exe /c ""\\\\host1\\files\\example.bat" " cs5Label=CGO CMD cs6=SIGNATURE_SIGNED-Microsoft Corporation cs6Label=CGO Signature fileHash=BBBBBBBE8A5E66AC3C693F9B5D3762805CF2D8F1283291AF38321FC619B23115 targetprocesssignature=SIGNATURE_UNAVAILABLE-N/A tenantname=GAN tenantCDLid=2003685740608 CSPaccountname=Vg Estonia Ou initiatorSha256=BBBBBBBE8A5E66AC3C693F9B5D3762805CF2D8F1283291AF38321FC619B23115 cgoSha256=AAAAAAc4a0b7eb191783c323ab8363ebd1fd10be58d8bcc96b07067743ca81d5 act=Detected (Reported)
Sep  7 12:10:09 syslogtest rsyslogd: unexpected GnuTLS error -110 in nsd_gtls.c:588: The TLS connection was non-properly terminated.  [v8.2112.0 try https://www.rsyslog.com/e/2078 ]
Sep  7 12:10:09 syslogtest rsyslogd: netstream session 0x7f509000e610 from 34.90.105.250 will be closed due to error [v8.2112.0 try https://www.rsyslog.com/e/2078 ]

 

Syslog Config:

global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.pem"
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/keys/server-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/keys/server-key.pem"
)

module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)

input(type="imtcp" port="6514")

 

4 REPLIES 4

L1 Bithead

Hi Isuru, thanks for reaching out.

Please double check on these steps to make sure you are not missing one and let us know if this helps: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Integrate-a...

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

Yes, I followed the steps correctly. As you can see, I can get one test syslog message to my server, but nothing after that until I restart my rsyslog service. 

Hi,

 

For  "Test failed : Certificate Verification Failed", have you tried any of these:

 

  • Incorrect certificate—to check that the certificate you are uploading corresponds to the server syslog certificate, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

  • Incorrect hostname—make sure that the hostname/ip in the certificate matches the syslog server.

  • Certificate chain—If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.

    cat intermediate_cert root_cert > merged_syslog.crt       

    If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.

    To verify that the chain certificate was saved correctly, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

L0 Member

i have the same issue, but for log managment audit & agent audit log the server received, any have done for this case?

  • 3054 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!