Hi Jason, if you're using TLS client certificates (and client certificate verification), you either have to add the CA certificate or all the client certificates to the JVM's trust store, see http://docs.graylog.org/en/2.1/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store for a related entry in the Graylog documentation.
Cheers, Jochen On Monday, 9 January 2017 01:14:56 UTC+1, Jason Haar wrote: > > Hi there > > We have set up our first Cisco ASA (8.4) to send syslog (TLS) messages > through to graylog via > > logging host outside ip.add.ress TCP/6666 secure > > We already have some Unix systems using rsyslog successfully doing the > same thing, but the Cisco records aren't being accepted. > > A sniffer shows traffic coming in from the Cisco, but server.log reports > the following. That sounds like the Cisco attempted to handshake TLS and > then sent an alert to graylog stating the error was "certificate_unknown"? > That would make sense, but our network group have no idea how to make the > CA trusted. > > Can someone point me at something they need to read to do this properly? > > Thanks, Jason > > > > 2017-01-09T00:07:56.088Z ERROR [NettyTransport] Error in Input [Syslog > TCP/570cc00b9cdbc22f13f5cecd] (channel [id: 0x525ae1a4, /1.2.3.4:56720 => > /4.3.2.1:6666]) > javax.net.ssl.SSLException: Received fatal alert: certificate_unknown > at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_77] > at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_77] > at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_77] > at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:1.8.0_77] > at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:1.8.0_77] > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > ~[?:1.8.0_77] > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_77] > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_77] > at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1219) > ~[graylog.jar:?] > at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852) > ~[graylog.jar:?] > at > org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) > > ~[graylog.jar:?] > at > org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) > > ~[graylog.jar:?] > at > org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) > > ~[graylog.jar:?] > at > org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) > > [graylog.jar:?] > at > org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) > > [graylog.jar:?] > at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) > [graylog.jar:?] > at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) > [graylog.jar:?] > at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) > [graylog.jar:?] > at > org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) > > [graylog.jar:?] > at > org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) > > [graylog.jar:?] > at > org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) > > [graylog.jar:?] > at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) > [graylog.jar:?] > at > org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) > > [graylog.jar:?] > at > org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) > > [graylog.jar:?] > at > com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) > > [graylog.jar:?] > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > [?:1.8.0_77] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > [?:1.8.0_77] > at java.lang.Thread.run(Unknown Source) [?:1.8.0_77] > > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +1 408 481 8171 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/841e97a0-459c-4e98-a1c8-20edbfb90068%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
