R80.20 syslog - TLS

Ethan_Keaton · ‎2018-10-04

Scenario: Sending events to remote syslog server encrypted (TLS) with log exporter.

Successfully receive clear text logs to remote server. Again TLS fails. Is there a configuration within the policy that need to enable (ie. rules, syslog server object, etc)?

The remote syslog server is running syslog-ng 3.16. Is this a cert issue?

Don't understand the reference about the LEA... LEA is not in use.

Getting the following errors:

[log_indexer 17057 4093631296]@cpmgmt01[4 Oct 15:44:13] Start reading 127.0.0.1:online logs [log] [1538636400] at position 53142

[log_indexer 17057 4074761024]@cpmgmt01[4 Oct 15:44:13] Start reading 127.0.0.1:online logs [adtlog] [1538636400] at position 25

[log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] LogFetcherLea::IsSubscribeLeaToDb This is not SmartEvent Device

[log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] Files read rate [log] : Current=0 Avg=0 MinAvg=0 Total=0 buffers (0/0/0/0)

[log_indexer 17057 4102024000]@cpmgmt01[4 Oct 15:44:18] Sent current: 0 total: 0

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection call: certificate file: [/opt/CPrt-R80.20/log_exporter/targets/syslogserver/certs/log_exporter.p12] CA file: [/opt/CPrt-R80.20/log_exporter/targets/syslogserver/certs/RootCA.pem]

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: keyHolder initiated OK

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] prefix: /opt/CPrt-R80.20/log_exporter/targets/syslogserver/certs/RootCA.pem cert: Email=blah@blah.com,CN=10.10.10.145,OU=BT ATM Certificate Authority,O=Lab Plc.,L=Nowhere,ST=Nowhere,C=US

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: create new fwCert to CA succeeded

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: create ckpSSLparams_New succeeded

[log_indexer 17057 4083153728]@cpmgmt01[4 Oct 15:44:18] Files read rate [adtlog] : Current=0 Avg=0 MinAvg=0 Total=0 buffers (0/0/0/0)

[log_indexer 17057 4083153728]@cpmgmt01[4 Oct 15:44:18] Sent current: 0 average: 0 total: 0

[log_indexer 17057 4121975616]@cpmgmt01[4 Oct 15:44:18] TcpTlsSender::MakeConnection: ckpSSL_Connect failed error: unknown

PhoneBoy · ‎2018-10-04

It's entirely possible we are using LEA "under the covers" for parts of the functionality that Log Exporter is using--that's probably safe to ignore.

But I suspect it's an SSL error of sorts.

If it's a TLS/SSL negotiation issue, it should show up in a packet capture.

Yonatan Philip might have some suggestions for debugging this also.

Richard_Carson · ‎2018-10-04

We are having similar issues with R80.10 log exporter to rsyslog, same ssl connect failed error - I have asked TAC how we can get more detailed output on the SSL connect as really this error message does not provide enough detail.

Having tested with openssl s_client -connect, if i use a fully chained root CA pem file the handshake to the rsyslog server works fine. If i use this same CA cert file in the Log Exporter config then it fails to parse the CA cert file - doesnt seem to like a pem file with chained certs. If i use the intermediate cert as the CA file then LogExport does not complain but ssl connect fails.

In regards the LEA message, i suspect LEA is still being used in the backend somewhere to fetch logs into the exporter

I dont think related to your issue but worth being aware of sk136992 - issues with A in cert pass phrase.

regards

risc

Yonatan_Philip · ‎2018-10-07

Hi Guys,

Sorry but TLS isn't my area of expertise. Please open a support case so a relevant support engineer can look at the issue.

Thanks

Yonatan

Are you a member of CheckMates?

R80.20 syslog - TLS