[syslog-ng] TLS-Syslog not working

stefan.zahnd at id.unibe.ch stefan.zahnd at id.unibe.ch
Wed Mar 5 13:50:58 CET 2014


Hi

I hope someone can help me!

The syslog-ng in our environment sends syslog messages using tls to our SIEM (Qradar). The following is the configuration of the syslog-ng (ip changed):

# First, set some global options.
options { chain_hostnames(off); flush_lines(0); use_dns(yes); use_fqdn(no);
          owner("root"); group("adm"); perm(0640); stats_freq(0);
          bad_hostname("^gconfd$");
};

destination d_qradar_tls {tcp(„1.2.3.4" port(6514) tls( peer-verify(required-untrusted) ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); };
destination d_qradar_local { file("/tmp/qradar_local"); };
source s_testlog {
        file("/tmp/testlog" flags(no-parse)); };
log {
        source(s_testlog);
        destination(d_qradar_local);
        destination(d_qradar_tls);
};

When I insert a message into the testlog it is parsed and written into the local destination „d_qradar_local“ but not sent to the remote destination. Syslog-NG in debugging mode (syslog-ng –Fevdt) shows the following:

…
Syslog connection established; fd='7', server=‚AF_INET(1.2.3.4:6514)', local='AF_INET(0.0.0.0:0)'
Incoming log entry; line='test'
Initializing destination file writer; template='/tmp/qradar_local', filename='/tmp/qradar_local'
Destination timed out, reaping; template='/tmp/qradar_local', filename='/tmp/qradar_local'
Closing log transport fd; fd=’15'

Using tcpdump to check if some packets are sent to Qradar reveals that only the first insertion of a message into the testlog after a restart of syslog-ng leads to a packet sent to Qradar. Every other insertion has no effect on the remote destination but is always inserted into the local destination (file). Also during the start of syslog-ng two packets are sent to qradar.

I’ve also opened a ticket at IBM and awating response.

Thank you very much in advance for any help on this!

Kind regards, Stefan
--
University of Bern
IT Services Department

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140305/246896e7/attachment.htm 


More information about the syslog-ng mailing list