I am new to the Elastic ecosystem and looking for assistance...trying to configure tcp SSL collection for palo logs from cortex datalake... this cert worked fine with our previous solution so I know nothing is wrong with the cert
within my SSL configuration from the palo tcp collection
hey @stephenb - I have tried every which way possible including removing the SSL - the error messages are super generic and it appears I might be the only person on the internet with the error - it should be noted that I am using the Palo Alto Next-Gen Firewall integration as we do not use cortex XDR, just global protect VPN service in the cloud.
Do you have any idea where I can find information on the errors provided from the SSL configuration? I have tried path to certificates vs putting the cert within the SSL box. With any reference to certificates the agent will not open the port for listening.
Error with just certificate: "C:/path/to/cert/lr_server.crt"
[elastic_agent][error] Unit state changed tcp-default-tcp-panw-5a58e590-2be3-11ee-9f77-b1f9cdde8d8b (CONFIGURING->FAILED): [failed to reload inputs: 1 error: Error creating runner from config: can not convert 'object' into 'string' accessing 'ssl.certificate' accessing 'ssl']
If that works then you need to understand what kind of validation your Palo Alto Server Side SSL Requires.
Finally when I run into these hard-to-figure-out config and agent is hard to debug... I just do all the testing with a local filebeat then copy / move the config over to the agent... because agent is basically running filebeat under the covers.
You can run filebeat in the foreground and see all the logs and test the modules etc...
Use the quickstart enable the correct module you can test all this ... then go back to agent...
Not ideal but a suggestion
Question do you understand the difference between a CA (Certificate Authority) and the Actual Cert?
[elastic_agent][error] Unit state changed tcp-default (STARTING->FAILED): [failed to reload inputs: 1 error: Error creating runner from config: can not convert 'object' into 'string' accessing 'ssl.certificate' accessing 'ssl']
I guess I am trying to figure out why the agent is not opening up the port for collection as debug logging still simply shows very generic errors. It has to not like something about the certificate to not open the port / start collection and I can't seem to find anything that tells me why. I guess I will explore manually running filebeat to see if debugging log gives any better hint as why the port would not be opening.
It is not opening the port because it's failing to parse the configuration so it never gets that far.... If it fails parsing the configuration no port will be open because it does not get to that step.
You even said above if you don't put in the SSL settings at the port opens.
This is about parsing your configuration correctly.
[elastic_agent][error] Unit state changed tcp-default-tcp-panw-5a58e590-2be3-11ee-9f77-b1f9cdde8d8b (CONFIGURING->FAILED): [failed to reload inputs: 1 error: Error creating runner from config: certificate file not configured accessing 'ssl']
Fails to open the port with this configuration also.
Where are you seeing incorrect syntax? Because I included SSL? I mentioned I tried it with / without and same outcome. I tried referencing the path and also tried the certificate syntax by putting it directly within the yaml file. The CA is in the trust store on the machine but I exported it to specify the path within the SSL configuration file.
Could you show me what you think the correct syntax is? Guess I am confused as all the different syntax methods I have tried shows as being supported.