We got it working, so I thought I'd share the trick Ended up the network guys had syslog/tls pointing at the IP address instead of the hostname that is present in the cert. There is no way to disable cert validation on Ciscos, so the Cisco was dropping the session due to the name mismatch. Also it appears (on Cisco) you have to configure CRL for the CA used to sign the graylog TLS cert. That sounds weird to me - but that's what they did to make it work
logging enable logging timestamp logging buffer-size 8196 logging monitor debugging logging buffered debugging logging trap debugging logging history debugging logging asdm informational logging queue 0 logging device-id hostname logging host outside fqdn 6/portNUM secure logging permit-hostdown crypto ca trustpoint CA-who-signed-graylogCert enrollment terminal crl configure whatever goes here for your CA crypto ca certificate chain CA-who-signed-graylogCert certificate ca xxxxxxx This will then enable the Cisco to create a syslog/TLS session to the graylog server, and then you'll have to add some extractors to actually glean the information you want - the Cisco's are bad at that too. But all working now :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAFChrgLjk0P6szsiJ9XdB6H3d%2B%2B1Rmi7hDvDu2pVRWNbJ%2Bmiag%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
