Hello,
I am a little bit lost on this topic.
I have a container which is running logstash.
What I am trying to do is to use the output syslog module to send logs to a third party application over ssl.
But it fails with this error =>
Pipeline error {:pipeline_id=>"main", :exception=>#<TypeError: no implicit conversion of nil into String>, :
backtrace=>[
"org/jruby/RubyIO.java:3774:in `read'",
"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:229:in `setup_ssl'",
"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:132:in `register'",
"org/logstash/config/ir/compiler/OutputStrategyExt.java:131:in `register'",
"org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:68:in `register'",
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:232:in `block in register_plugins'",
"org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:231:in `register_plugins'",
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:589:in `maybe_setup_out_plugins'",
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:244:in `start_workers'",
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:189:in `run'",
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:141:in `block in start'"],
my current configuration for this plugin look like this =>
output {
syslog {
host => "qradar.blooding.com"
port => "6514"
protocol => "ssl-tcp"
appname => "LOGSTASH-AnsibleTower"
sourcehost => "AT-Host"
}
If I leave the protocol to the default "udp" value is not crashing.
And the certificate CA and intermediate CA are already inside the container and you can list them with
trust list --filter=ca-anchors
for instance.
I have tried many things.
I was checking the documentation from here.
I have tried to provide the qRadar certificate by trying various combinations of the following option
ssl_cacert
ssl_cert
ssl_verify
but to my understanding these properties are not meant to be for qRadar.
So, my question is, how to send the logs to qRadar over ssl? How the output.syslog should look like and where should I trust the qRadar certificate?
Thank you in advance for your time to read this.