[syslog-ng] TLS-Syslog not working

Balazs Scheidler bazsi77 at gmail.com
Fri Mar 7 07:30:46 CET 2014 

Tls requires duplex communication so if you only see a single packet, that
probably means that qradar is not configured to use tls on that port.

Wireshark can analyze the tcpdump packet capture so that you can see how
far the tls handshake completes.

If tls is not completed no messages will be delivered.
On Mar 5, 2014 1:51 PM, <stefan.zahnd at id.unibe.ch> wrote:

>  Hi
>
>  I hope someone can help me!
>
>  The syslog-ng in our environment sends syslog messages using tls to our
> SIEM (Qradar). The following is the configuration of the syslog-ng (ip
> changed):
>
>   # First, set some global options.
> options { chain_hostnames(off); flush_lines(0); use_dns(yes); use_fqdn(no);
>           owner("root"); group("adm"); perm(0640); stats_freq(0);
>           bad_hostname("^gconfd$");
> };
>
>  destination d_qradar_tls {tcp("1.2.3.4" port(6514) tls(
> peer-verify(required-untrusted)
> ca_dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); };
> destination d_qradar_local { file("/tmp/qradar_local"); };
> source s_testlog {
>         file("/tmp/testlog" flags(no-parse)); };
> log {
>         source(s_testlog);
>         destination(d_qradar_local);
>         destination(d_qradar_tls);
> };
>
>
>  When I insert a message into the testlog it is parsed and written into
> the local destination "d_qradar_local" but not sent to the remote
> destination. Syslog-NG in debugging mode (syslog-ng -Fevdt) shows the
> following:
>
>   ...
> Syslog connection established; fd='7', server='AF_INET(1.2.3.4:6514)',
> local='AF_INET(0.0.0.0:0)'
> Incoming log entry; line='test'
> Initializing destination file writer; template='/tmp/qradar_local',
> filename='/tmp/qradar_local'
> Destination timed out, reaping; template='/tmp/qradar_local',
> filename='/tmp/qradar_local'
> Closing log transport fd; fd='15'
>
>
>  Using tcpdump to check if some packets are sent to Qradar reveals that
> only the first insertion of a message into the testlog after a restart of
> syslog-ng leads to a packet sent to Qradar. Every other insertion has no
> effect on the remote destination but is always inserted into the local
> destination (file). Also during the start of syslog-ng two packets are sent
> to qradar.
>
>  I've also opened a ticket at IBM and awating response.
>
>  Thank you very much in advance for any help on this!
>
>  Kind regards, Stefan
>  --
> University of Bern
> IT Services Department
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140307/db49cb40/attachment.htm

More information about the syslog-ng mailing list