I'm trying to forward messages from Logstash to an external syslog server (Qradar). I need to use ssl-tcp, for the external connection only not the connection to Elasticsearch. I can't find any documentation on how to properly configure the output file and what needs to be included in the file. Below is the current logstash output config file. The "syslog.cert" is a certificate generated from the external syslog server. The current output to Elasticsearch works without any issues but the syslog output is not working correctly.
I was told communication is getting to the Qradar machine but the logs show something messages like they're looking for a handshake to complete before it will accept the logs. This is why I entered the ssl_cert into the config. The reason I believe it's related to the certificate is because I have tested forwarding the logs without ssl and have verified connectivity.
that is a typo there is no . in the actual config. Do you need to trust the syslog.cert or add it to anything? The only thing I've done is copy it to my machine from the destination machine.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.