Logstash ssl-tcp configuration syslog output

bambam · June 23, 2020, 11:07pm

Hello,

I'm trying to forward messages from Logstash to an external syslog server (Qradar). I need to use ssl-tcp, for the external connection only not the connection to Elasticsearch. I can't find any documentation on how to properly configure the output file and what needs to be included in the file. Below is the current logstash output config file. The "syslog.cert" is a certificate generated from the external syslog server. The current output to Elasticsearch works without any issues but the syslog output is not working correctly.

output {
Elasticsearch { hosts => localhost }
}

output {
Syslog {
Host => “10.10.10.10”
Severity => “debug”
protocol => “ssl-tcp”
port => “6514”
ssl_cert => “/tmp/syslog.cert.”
ssl_verify => ‘false’
codec => line { format => “%{message}” }
}
}

Badger · June 23, 2020, 11:38pm

What does not work? Are there error messages in either the logstash or syslog logs?

bambam · June 24, 2020, 12:02pm

I was told communication is getting to the Qradar machine but the logs show something messages like they're looking for a handshake to complete before it will accept the logs. This is why I entered the ssl_cert into the config. The reason I believe it's related to the certificate is because I have tested forwarding the logs without ssl and have verified connectivity.

bambam · June 24, 2020, 2:33pm

Below are the error messages I see after making changes to the configuration file and restart the logstash service.

[2020-06-24T10:30:24,753][ERROR][logstash.agent ] Pipeline aborted due to error {:exception=>#<TypeError: can't convert nil into String>, :backtrace=>["org/jruby/RubyIO.java:3804:in read'", "org/jruby/RubyIO.java:3987:in read'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:229:in setup_ssl'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:132:in register'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/legacy.rb:17:in register'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:43:in register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290:in register_plugin'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:301:in register_plugins'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:301:in register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:310:in start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:235:in run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:408:in start_pipeline'"]}

Badger · June 24, 2020, 2:39pm

line 229 is this.

ssl_cert => “/tmp/syslog.cert.”

Are you sure that should have a trailing period?

bambam · June 24, 2020, 2:43pm

that is a typo there is no . in the actual config. Do you need to trust the syslog.cert or add it to anything? The only thing I've done is copy it to my machine from the destination machine.

Badger · June 24, 2020, 2:44pm

I suspect it is failing to read the file at all.

system · July 22, 2020, 2:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuring Logstash Sylog (v2.1.4) Output plugin for to use ssl-tcp Logstash	3	921	July 6, 2017
Logstash 6.6.0 with syslog output 3.0.5 ssl-tcp issue Logstash	1	308	May 4, 2020
Syslog with tcp-ssl error Logstash	1	447	July 29, 2019
Configure tcp input to accept syslog over ssl Logstash	6	1248	July 23, 2020
Sending logs with SSL/TLS from Logstash Logstash	4	4260	July 6, 2017

Logstash ssl-tcp configuration syslog output

Related topics