cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80.20 syslog - TLS

Scenario: Sending events to remote syslog server encrypted (TLS) with log exporter.

Successfully receive clear text logs to remote server. Again TLS fails. Is there a configuration within the policy that need to enable (ie. rules, syslog server object, etc)? 

The remote syslog server is running syslog-ng 3.16.  Is this a cert issue? 

Don't understand the reference about the LEA... LEA is not in use. 

Getting the following errors: 

[log_indexer 17057 4093631296]@cpmgmt01[4 Oct 15:44:13] Start reading 127.0.0.1:online logs [log] [1538636400] at position 53142

 [log_indexer 17057 4074761024]@cpmgmt01[4 Oct 15:44:13] Start reading 127.0.0.1:online logs [adtlog] [1538636400] at position 25

 [log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] LogFetcherLea::IsSubscribeLeaToDb This is not SmartEvent Device

[log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] LogFetcherLea::IsSubscribeLeaToDb This is not SmartEvent Device

[log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=0 buffers (0/0/0/0)

[log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] Sent  current: 0   total: 0

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection call: certificate file: [/opt/CPrt-R80.20/log_exporter/targets/syslogserver/certs/log_exporter.p12] CA file: [/opt/CPrt-R80.20/log_exporter/targets/syslogserver/certs/RootCA.pem]

 [log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: keyHolder initiated OK

 [log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] prefix: /opt/CPrt-R80.20/log_exporter/targets/syslogserver/certs/RootCA.pem cert: Email=blah@blah.com,CN=10.10.10.145,OU=BT ATM Certificate Authority,O=Lab Plc.,L=Nowhere,ST=Nowhere,C=US

 [log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: create new fwCert to CA succeeded

 [log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: create ckpSSLparams_New succeeded

[log_indexer 17057 4083153728]@cpmgmt01[4 Oct 15:44:18] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=0 buffers (0/0/0/0)

[log_indexer 17057 4083153728]@cpmgmt01[4 Oct 15:44:18] Sent  current: 0   average: 0 total: 0

 [log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: ckpSSL_Connect failed error: unknown

0 Kudos
3 Replies
Admin
Admin

Re: R80.20 syslog - TLS

It's entirely possible we are using LEA "under the covers" for parts of the functionality that Log Exporter is using--that's probably safe to ignore.

But I suspect it's an SSL error of sorts.

If it's a TLS/SSL negotiation issue, it should show up in a packet capture.

Yonatan Philip might have some suggestions for debugging this also.

0 Kudos

Re: R80.20 syslog - TLS

We are having similar issues with R80.10 log exporter to rsyslog, same ssl connect failed error - I have asked TAC how we can get more detailed output on the SSL connect as really this error message does not provide enough detail.

Having tested with openssl s_client -connect, if i use a fully chained root CA pem file the handshake to the rsyslog server works fine. If i use this same CA cert file in the Log Exporter config then it fails to parse the CA cert file - doesnt seem to like a pem file with chained certs. If i use the intermediate cert as the CA file then LogExport does not complain but ssl connect fails.

In regards the LEA  message, i suspect LEA is still being used in the backend somewhere to fetch logs into the exporter

I dont think related to your issue but worth being aware of sk136992 - issues with A in cert pass phrase.

regards

risc

0 Kudos
Employee+
Employee+

Re: R80.20 syslog - TLS

Hi Guys,

Sorry but TLS isn't my area of expertise. Please open a support case so a relevant support engineer can look at the issue.

Thanks

Yonatan 

0 Kudos