Tls requires duplex communication so if you only see a single packet, that probably means that qradar is not configured to use tls on that port. Wireshark can analyze the tcpdump packet capture so that you can see how far the tls handshake completes. If tls is not completed no messages will be delivered. On Mar 5, 2014 1:51 PM, <stefan.zahnd@id.unibe.ch> wrote:
Hi
I hope someone can help me!
The syslog-ng in our environment sends syslog messages using tls to our SIEM (Qradar). The following is the configuration of the syslog-ng (ip changed):
# First, set some global options. options { chain_hostnames(off); flush_lines(0); use_dns(yes); use_fqdn(no); owner("root"); group("adm"); perm(0640); stats_freq(0); bad_hostname("^gconfd$"); };
destination d_qradar_tls {tcp("1.2.3.4" port(6514) tls( peer-verify(required-untrusted) ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); }; destination d_qradar_local { file("/tmp/qradar_local"); }; source s_testlog { file("/tmp/testlog" flags(no-parse)); }; log { source(s_testlog); destination(d_qradar_local); destination(d_qradar_tls); };
When I insert a message into the testlog it is parsed and written into the local destination "d_qradar_local" but not sent to the remote destination. Syslog-NG in debugging mode (syslog-ng -Fevdt) shows the following:
... Syslog connection established; fd='7', server='AF_INET(1.2.3.4:6514)', local='AF_INET(0.0.0.0:0)' Incoming log entry; line='test' Initializing destination file writer; template='/tmp/qradar_local', filename='/tmp/qradar_local' Destination timed out, reaping; template='/tmp/qradar_local', filename='/tmp/qradar_local' Closing log transport fd; fd='15'
Using tcpdump to check if some packets are sent to Qradar reveals that only the first insertion of a message into the testlog after a restart of syslog-ng leads to a packet sent to Qradar. Every other insertion has no effect on the remote destination but is always inserted into the local destination (file). Also during the start of syslog-ng two packets are sent to qradar.
I've also opened a ticket at IBM and awating response.
Thank you very much in advance for any help on this!
Kind regards, Stefan -- University of Bern IT Services Department
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq