Re: [graylog2] Re: unable to receive syslog/tls from Cisco devices

2017-01-09 Thread Jason Haar 
We got it working, so I thought I'd share the trick

Ended up the network guys had syslog/tls pointing at the IP address instead
of the hostname that is present in the cert. There is no way to disable
cert validation on Ciscos, so the Cisco was dropping the session due to the
name mismatch. Also it appears (on Cisco) you have to configure CRL for the
CA used to sign the graylog TLS cert. That sounds weird to me - but that's
what they did to make it work

logging enable
logging timestamp
logging buffer-size 8196
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging queue 0
logging device-id hostname
logging host outside fqdn 6/portNUM secure
logging permit-hostdown
crypto ca trustpoint CA-who-signed-graylogCert
 enrollment terminal
 crl configure
  whatever goes here for your CA
crypto ca certificate chain CA-who-signed-graylogCert
 certificate ca xxx

This will then enable the Cisco to create a syslog/TLS session to the
graylog server, and then you'll have to add some extractors to actually
glean the information you want - the Cisco's are bad at that too.

But all working now :-)



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgLjk0P6szsiJ9XdB6H3d%2B%2B1Rmi7hDvDu2pVRWNbJ%2Bmiag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Re: unable to receive syslog/tls from Cisco devices

2017-01-09 Thread Jason Haar 
On Mon, Jan 9, 2017 at 9:20 PM, Jochen Schalanda  wrote:

> if you're using TLS client certificates


No - the cisco doesn't support that anyway. The java error says
"javax.net.ssl.SSLException: Received fatal alert: certificate_unknown",
and wireshark confirms the TLS alert comes from the *client* - not the
server. It seems to me the Cisco ASA doesn't trust the server cert or the
CA that signed it - but I'm not a Cisco engineer and apparently our ones
have never done this before and don't know any better either :-)

I was hoping someone on this list had been through the drama.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAFChrgKDG5SqkiiS%2BPFzEG6m-%2Byre%3DdazZuH8%3Dufm%2B8LwLD54Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: unable to receive syslog/tls from Cisco devices

2017-01-09 Thread Jochen Schalanda 
Hi Jason,

if you're using TLS client certificates (and client certificate 
verification), you either have to add the CA certificate or all the client 
certificates to the JVM's trust store, 
see 
http://docs.graylog.org/en/2.1/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store
 
for a related entry in the Graylog documentation.

Cheers,
Jochen

On Monday, 9 January 2017 01:14:56 UTC+1, Jason Haar wrote:
>
> Hi there
>
> We have set up our first Cisco ASA (8.4) to send syslog (TLS) messages 
> through to graylog via
>
> logging host outside ip.add.ress TCP/ secure
>
> We already have some Unix systems using rsyslog successfully doing the 
> same thing, but the Cisco records aren't being accepted.
>
> A sniffer shows traffic coming in from the Cisco, but server.log reports 
> the following. That sounds like the Cisco attempted to handshake TLS and 
> then sent an alert to graylog stating the error was "certificate_unknown"? 
> That would make sense, but our network group have no idea how to make the 
> CA trusted. 
>
> Can someone point me at something they need to read to do this properly? 
>
> Thanks, Jason
>
>
>
> 2017-01-09T00:07:56.088Z ERROR [NettyTransport] Error in Input [Syslog 
> TCP/570cc00b9cdbc22f13f5cecd] (channel [id: 0x525ae1a4, /1.2.3.4:56720 => 
> /4.3.2.1:])
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
> at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) 
> ~[?:1.8.0_77]
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_77]
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_77]
> at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1219) 
> ~[graylog.jar:?]
> at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852) 
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
>  
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
>  
> [graylog.jar:?]
> at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) 
> [graylog.jar:?]
> at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) 
> [graylog.jar:?]
> at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) 
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
>  
> [graylog.jar:?]
> at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) 
> [graylog.jar:?]
> at 
> org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
>  
> [graylog.jar:?]
> at 
> org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
>  
> [graylog.jar:?]
> at 
> com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176)
>  
> [graylog.jar:?]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) 
> [?:1.8.0_77]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
> [?:1.8.0_77]
> at java.lang.Thread.run(Unknown Source) [?:1.8.0_77]
>
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/841e97a0-459c-4e98-a1c8-20edbfb90068%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.