Setup_ssl error

Hello,

I am a little bit lost on this topic.
I have a container which is running logstash.

What I am trying to do is to use the output syslog module to send logs to a third party application over ssl.
But it fails with this error =>

Pipeline error {:pipeline_id=>"main", :exception=>#<TypeError: no implicit conversion of nil into String>, :
backtrace=>[
  "org/jruby/RubyIO.java:3774:in `read'", 
  "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:229:in `setup_ssl'", 
  "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:132:in `register'", 
  "org/logstash/config/ir/compiler/OutputStrategyExt.java:131:in `register'", 
  "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:68:in `register'", 
  "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:232:in `block in register_plugins'", 
  "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:231:in `register_plugins'", 
  "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:589:in `maybe_setup_out_plugins'", 
  "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:244:in `start_workers'", 
  "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:189:in `run'", 
  "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:141:in `block in start'"],

my current configuration for this plugin look like this =>

 output {
     syslog {
       host => "qradar.blooding.com"
       port => "6514"
       protocol => "ssl-tcp"
       appname => "LOGSTASH-AnsibleTower"
       sourcehost => "AT-Host"
     }

If I leave the protocol to the default "udp" value is not crashing.
And the certificate CA and intermediate CA are already inside the container and you can list them with
trust list --filter=ca-anchors
for instance.

I have tried many things.
I was checking the documentation from here.

I have tried to provide the qRadar certificate by trying various combinations of the following option
ssl_cacert
ssl_cert
ssl_verify

but to my understanding these properties are not meant to be for qRadar.
So, my question is, how to send the logs to qRadar over ssl? How the output.syslog should look like and where should I trust the qRadar certificate?

Thank you in advance for your time to read this.

If you set protocol to "ssl-tcp" then ssl_cert is a mandatory option. The code reads the cert here and it is getting that exception because ssl_cert is nil. Looking at the next line of code I imagine ssl_key and ssl_key_passphrase are also mandatory.

This issue has a possible patch.

Hello Badger,

thank you for your reply.

I have seen the links you have shared already.

My main set of questions remains the same =>

  • How to send the logs to qRadar over ssl?
  • How the output.syslog should look like and
  • Where should I trust the qRadar certificate?

Moreover, I am trying to understand what is the purpose of the protocol option inside output.syslog. Do I need it in order to send logs over ssl to qRadar?
Where in the git code is visible that when protocol = ssl-tcp the other properties are required?

Setting protocol to "ssl-tcp" enables ssl over the tcp connection to syslog. That is checked here, and a dozen lines later it triggers the creation of an OpenSSL::SSL::SSLSocket.

When the plugin is initialized the SSL context is created. During that creation the client certificate (not the server certificate) is unconditionally loaded, followed by the unconditional attempt to load the private key file.

I was shocked to find that the default value for ssl_verify is false, so it does not, by default, validate the server certificate that it receives. If you set ssl_verify to true then you also need to set the ssl_cacert option to either a file or a directory that contains the CA cert chain of the syslog server certificate.

If qRadar is not expecting a client certificate then I do not know what it will do when it sees one.

Hello Badger,

to be honest I do not understand how exactly this
def ssl?
definition is forcing the
def setup_ssl
definition, but that's ok, I am not aware of ruby inner mechanics.
So, it is not important. Thank you for pointing it out though.

I am not sure if I was able to follow exactly what you said.
Do I need the protocol = ssl-tcp or not after all?
How exactly should I set up my configuration in order to be able to send over ssl my logs to qRadar and where should I trust qRadar's certificate?

If you want to use tls then you must set `protocol => "ssl-tcp". If you do that you must create a client certificate and set the ssl_cert, ssl_key, and ssl_key_passphrase options to allow the output to load the client certificate and its key.

Hello Badger,

let me recap.
There is a qRadar server that is listening on a ssl port.
qRadar is the server I am the client (syslog in this case).
I want to establish an ssl communication between syslog and qRadar.
Why on earth syslog needs to have its own certificate? qRadar is accepting all incoming traffic, no need to authenticate.
What am I missing here?

The output was written so that it requires a client certficate, but doesn't bother to verify the server certificate. It's absolutely bizarre, but that's how it was written. As I mentioned, there is a patch available that fixes that if you want to build the code yourself.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.