<p dir="ltr">Tls requires duplex communication so if you only see a single packet, that probably means that qradar is not configured to use tls on that port.</p>
<p dir="ltr">Wireshark can analyze the tcpdump packet capture so that you can see how far the tls handshake completes.</p>
<p dir="ltr">If tls is not completed no messages will be delivered.</p>
<div class="gmail_quote">On Mar 5, 2014 1:51 PM, <<a href="mailto:stefan.zahnd@id.unibe.ch">stefan.zahnd@id.unibe.ch</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-size:12px;font-family:Courier,sans-serif;word-wrap:break-word">
<div>Hi</div>
<div><br>
</div>
<div>I hope someone can help me!</div>
<div><br>
</div>
<div>The syslog-ng in our environment sends syslog messages using tls to our SIEM (Qradar). The following is the configuration of the syslog-ng (ip changed):</div>
<div><br>
</div>
<div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div># First, set some global options.</div>
<div>options { chain_hostnames(off); flush_lines(0); use_dns(yes); use_fqdn(no);</div>
<div> owner("root"); group("adm"); perm(0640); stats_freq(0);</div>
<div> bad_hostname("^gconfd$");</div>
<div>};</div>
<div><br>
</div>
<div>destination d_qradar_tls {tcp(„1.2.3.4" port(6514) tls( peer-verify(required-untrusted) ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); };</div>
<div>destination d_qradar_local { file("/tmp/qradar_local"); };</div>
<div>source s_testlog {</div>
<div> file("/tmp/testlog" flags(no-parse)); };</div>
<div>log {</div>
<div> source(s_testlog);</div>
<div> destination(d_qradar_local);</div>
<div> destination(d_qradar_tls);</div>
<div>};</div>
</blockquote>
</div>
<div><br>
</div>
<div>When I insert a message into the testlog it is parsed and written into the local destination „d_qradar_local“ but not sent to the remote destination. Syslog-NG in debugging mode (syslog-ng –Fevdt) shows the following:</div>
<div><br>
</div>
<div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div>…</div>
<div>Syslog connection established; fd='7', server=‚AF_INET(1.2.3.4:6514)', local='AF_INET(<a href="http://0.0.0.0:0" target="_blank">0.0.0.0:0</a>)'</div>
<div>Incoming log entry; line='test'</div>
<div>Initializing destination file writer; template='/tmp/qradar_local', filename='/tmp/qradar_local'</div>
<div>Destination timed out, reaping; template='/tmp/qradar_local', filename='/tmp/qradar_local'</div>
<div>Closing log transport fd; fd=’15'</div>
</blockquote>
</div>
<div><br>
</div>
<div>Using tcpdump to check if some packets are sent to Qradar reveals that only the first insertion of a message into the testlog after a restart of syslog-ng leads to a packet sent to Qradar. Every other insertion has no effect on the remote destination but
is always inserted into the local destination (file). Also during the start of syslog-ng two packets are sent to qradar.</div>
<div><br>
</div>
<div>I’ve also opened a ticket at IBM and awating response.</div>
<div><br>
</div>
<div>Thank you very much in advance for any help on this!</div>
<div><br>
</div>
<div>Kind regards, Stefan</div>
<div>
<div>--</div>
<div style="font-size:14px"><span style="font-size:12px">University of Bern</span></div>
<div style="font-size:14px"><span style="font-size:12px">IT Services Department</span></div>
<div style="font-size:14px"><br>
</div>
</div>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>