Logstash ssl-tcp configuration syslog output

Hello,

I'm trying to forward messages from Logstash to an external syslog server (Qradar). I need to use ssl-tcp, for the external connection only not the connection to Elasticsearch. I can't find any documentation on how to properly configure the output file and what needs to be included in the file. Below is the current logstash output config file. The "syslog.cert" is a certificate generated from the external syslog server. The current output to Elasticsearch works without any issues but the syslog output is not working correctly.

output {
Elasticsearch { hosts => localhost }
}

output {
Syslog {
Host => “10.10.10.10”
Severity => “debug”
protocol => “ssl-tcp”
port => “6514”
ssl_cert => “/tmp/syslog.cert.”
ssl_verify => ‘false’
codec => line { format => “%{message}” }
}
}

What does not work? Are there error messages in either the logstash or syslog logs?

I was told communication is getting to the Qradar machine but the logs show something messages like they're looking for a handshake to complete before it will accept the logs. This is why I entered the ssl_cert into the config. The reason I believe it's related to the certificate is because I have tested forwarding the logs without ssl and have verified connectivity.

Below are the error messages I see after making changes to the configuration file and restart the logstash service.

[2020-06-24T10:30:24,753][ERROR][logstash.agent ] Pipeline aborted due to error {:exception=>#<TypeError: can't convert nil into String>, :backtrace=>["org/jruby/RubyIO.java:3804:in read'", "org/jruby/RubyIO.java:3987:in read'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:229:in setup_ssl'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:132:in register'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator_strategies/legacy.rb:17:in register'", "/usr/share/logstash/logstash-core/lib/logstash/output_delegator.rb:43:in register'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:290:in register_plugin'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:301:in register_plugins'", "org/jruby/RubyArray.java:1613:in each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:301:in register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:310:in start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:235:in run'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:408:in start_pipeline'"]}

line 229 is this.

ssl_cert => “/tmp/syslog.cert.”

Are you sure that should have a trailing period?

that is a typo there is no . in the actual config. Do you need to trust the syslog.cert or add it to anything? The only thing I've done is copy it to my machine from the destination machine.

I suspect it is failing to read the file at all.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.