[graylog2] Re: unable to receive syslog/tls from Cisco devices

Mon, 09 Jan 2017 00:21:07 -0800 

Hi Jason,

if you're using TLS client certificates (and client certificate 
verification), you either have to add the CA certificate or all the client 
certificates to the JVM's trust store, 
see 
http://docs.graylog.org/en/2.1/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store
 
for a related entry in the Graylog documentation.

Cheers,
Jochen

On Monday, 9 January 2017 01:14:56 UTC+1, Jason Haar wrote:
>
> Hi there
>
> We have set up our first Cisco ASA (8.4) to send syslog (TLS) messages 
> through to graylog via
>
> logging host outside ip.add.ress TCP/6666 secure
>
> We already have some Unix systems using rsyslog successfully doing the 
> same thing, but the Cisco records aren't being accepted.
>
> A sniffer shows traffic coming in from the Cisco, but server.log reports 
> the following. That sounds like the Cisco attempted to handshake TLS and 
> then sent an alert to graylog stating the error was "certificate_unknown"? 
> That would make sense, but our network group have no idea how to make the 
> CA trusted. 
>
> Can someone point me at something they need to read to do this properly? 
>
> Thanks, Jason
>
>
>
> 2017-01-09T00:07:56.088Z ERROR [NettyTransport] Error in Input [Syslog 
> TCP/570cc00b9cdbc22f13f5cecd] (channel [id: 0x525ae1a4, /1.2.3.4:56720 => 
> /4.3.2.1:6666])
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
> at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) 
> ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_77]
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_77]
> at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1219) 
> ~[graylog.jar:?]
> at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852) 
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
>  
> [graylog.jar:?]
> at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) 
> [graylog.jar:?]
> at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) 
> [graylog.jar:?]
> at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) 
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
>  
> [graylog.jar:?]
> at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) 
> [graylog.jar:?]
> at 
> org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
>  
> [graylog.jar:?]
> at 
> com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
>  
> [graylog.jar:?]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 
> [?:1.8.0_77]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
> [?:1.8.0_77]
> at java.lang.Thread.run(Unknown Source) [?:1.8.0_77]
>
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/841e97a0-459c-4e98-a1c8-20edbfb90068%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to