Issues configuring SSL TCP Syslog Collection - Palo Alto Integration

I am new to the Elastic ecosystem and looking for assistance...trying to configure tcp SSL collection for palo logs from cortex datalake... this cert worked fine with our previous solution so I know nothing is wrong with the cert

within my SSL configuration from the palo tcp collection

SSL Configuration
ssl.certificate: "C:/path/to/cert/lr_server.crt"
ssl.certificate_authorities: ["C:/path/to/cert/lr_server.crt"]

get the following error -

[failed to reload inputs: 1 error: Error creating runner from config: type mismatch accessing 'ssl'] - when running netstat the agent isn't even listening on the port

If I remove all SSL configuration - agent listens on port but is unable to decrypt the traffic :slight_smile:

Hi @elasticnub Welcome to the community and thanks for trying Elastic Agent integrations.

I did a quick ask internally see what we get... did you try without the leading ssl.

certificate: "C:/path/to/cert/lr_server.crt"
certificate_authorities: ["C:/path/to/cert/lr_server.crt"]

Assume you are talking about this section

I looked in the code here

Which makes me think you may not need the leading ssl.

{{#if ssl}}
request.ssl: {{ssl}}
{{/if}}

hey @stephenb - I have tried every which way possible including removing the SSL - the error messages are super generic and it appears I might be the only person on the internet with the error :slight_smile: - it should be noted that I am using the Palo Alto Next-Gen Firewall integration as we do not use cortex XDR, just global protect VPN service in the cloud.

Do you have any idea where I can find information on the errors provided from the SSL configuration? I have tried path to certificates vs putting the cert within the SSL box. With any reference to certificates the agent will not open the port for listening.

certificate:
  - |
    -----BEGIN CERTIFICATE-----
   blah blah blah
    -----END CERTIFICATE-----

Error with just certificate: "C:/path/to/cert/lr_server.crt"

[elastic_agent][error] Unit state changed tcp-default-tcp-panw-5a58e590-2be3-11ee-9f77-b1f9cdde8d8b (CONFIGURING->FAILED): [failed to reload inputs: 1 error: Error creating runner from config: can not convert 'object' into 'string' accessing 'ssl.certificate' accessing 'ssl']

Hi @elasticnub

Ok so when I see this that looks to me that

a) you do not prefix with ssl. pretty sure,, that is what is throwing this error

can not convert 'object' into 'string' accessing 'ssl.certificate'

b) can you try this for just a test

verification_mode: none

If that works then you need to understand what kind of validation your Palo Alto Server Side SSL Requires.

Finally when I run into these hard-to-figure-out config and agent is hard to debug... I just do all the testing with a local filebeat then copy / move the config over to the agent... because agent is basically running filebeat under the covers.

You can run filebeat in the foreground and see all the logs and test the modules etc...

Use the quickstart enable the correct module you can test all this ... then go back to agent...

Not ideal but a suggestion

Question do you understand the difference between a CA (Certificate Authority) and the Actual Cert?

I ask because

certificate_authorities: ["C:/path/to/cert/lr_server.crt"]

That does not look like a CA, you will need to get the CA from your SSL person, you need to ask what type of SSL validation does that Palo Alto Server require from a connecting client.

Here is the description of all the SSL settings

@stephenb - same issue with verification_mode: none

verification_mode: none
certificate:
  - |
    -----BEGIN CERTIFICATE-----
    blah blah blah blah
    -----END CERTIFICATE-----

[elastic_agent][error] Unit state changed tcp-default (STARTING->FAILED): [failed to reload inputs: 1 error: Error creating runner from config: can not convert 'object' into 'string' accessing 'ssl.certificate' accessing 'ssl']

I guess I am trying to figure out why the agent is not opening up the port for collection as debug logging still simply shows very generic errors. It has to not like something about the certificate to not open the port / start collection and I can't seem to find anything that tells me why. I guess I will explore manually running filebeat to see if debugging log gives any better hint as why the port would not be opening.

I meant just try the verification_mode only

It is not opening the port because it's failing to parse the configuration so it never gets that far.... If it fails parsing the configuration no port will be open because it does not get to that step.

You even said above if you don't put in the SSL settings at the port opens.

This is about parsing your configuration correctly.

Your syntax is not correct

Please see here

The config you show in the post above is for the field
certificate which takes a single value.

But the yml syntax You used is for an array / list, not a single entry so you use the syntax for

certificate_authority which is a list which is not correct for the field certificate

Which again correlates to the error exactly...The syntax is VERY specific

Please try with only the verification mode first.

Then if you add certificate or certificate authorities? Make sure you use the correct syntax.

And of course the actual correct CA.

Again... You would probably debug this quicker with filebeat

1 Like

Here's a similar issue which was resolved with correct configuration.

1 Like

image

[elastic_agent][error] Unit state changed tcp-default-tcp-panw-5a58e590-2be3-11ee-9f77-b1f9cdde8d8b (CONFIGURING->FAILED): [failed to reload inputs: 1 error: Error creating runner from config: certificate file not configured accessing 'ssl']

Fails to open the port with this configuration also.

Where are you seeing incorrect syntax? Because I included SSL? I mentioned I tried it with / without and same outcome. I tried referencing the path and also tried the certificate syntax by putting it directly within the yaml file. The CA is in the trust store on the machine but I exported it to specify the path within the SSL configuration file.

Could you show me what you think the correct syntax is? Guess I am confused as all the different syntax methods I have tried shows as being supported.

woohoo got it working thanks @stephenb / @kcreddy for the help!

My configuration file is below

certificate: "C:/Users/path/to/file/lr_server.cer"
key: "C:/Users/path/to/file/agent_key_noenc.key"

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.