Graylog Community

Get "Remote Syslog Security Host" Logs from HPE Primera 600

Graylog Central (peer support)

Marvin1 October 24, 2023, 12:35pm 1

Hello Guys I have a small problem. I want to monitor the HPE Primera 600 Storage.
Primera gives 2 types of logs. Security and non Security.

non Security need a UDP conection.
security need a TCP and TLS connection

I don’t know how to start. I deployed a Input (Syslog TCP) in the edit mask of the input i enabled TLS and put in the paths to the Graylog public and private key.
TLS is active in the server.conf of Graylog-Server.

In the Primera i put in

XXX cli% setsys RemoteSyslogSecurityHost test.graylog.org:1234

I can see that messages appear, but when I open the input in Graylog, the messages are not displayed.

When i start an Input (RAW TCP) on that port messages are displayed but only test messages from the system.

What else needs to be implemented? Where did I make a mistake?

Greetings

Joel_Duffield (Joel Duffield) October 24, 2023, 1:19pm 2

Is the certificate self signed, and does the HPE support untrusted certs?

1 Like

Marvin1 October 24, 2023, 1:20pm 3

I have an Idea. Is it possible that the cert have not the right key_usage?
usage:
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

Marvin1 October 24, 2023, 1:20pm 4

It is a trusted cert and the root CA is trusted from the Primera

Joel_Duffield (Joel Duffield) October 24, 2023, 1:38pm 5

When you say you only see test messages on the raw input do you mean the mesaages that are sent to verify the setup (a test button on the setup page etc)

What do you mean by “I can see that messages appear”, where are you seeing this?

1 Like

Marvin1 October 24, 2023, 1:51pm 6

grafik
the counter for total I/O goes up and connections are listed

I created a short RAW TCP test input on that port and DONT enabled TCP.

Marvin1 October 25, 2023, 2:31pm 7

I have deployed the Input!

Primera:
generate cert on the Primera for Syslog Client.

cli% createcert syslog-sec-client -csr -CN Primera.test.org -SAN DNS:Primera.test.org,IP:127.0.0.1

(name and IP are not real and have to be edited)

Install Ca-cert-Bundl

cli% importcert syslog-sec-client -ca stdin

CA-certified CERT import

cli% importcert syslog-sec-client stdi

Configuration for Remote Syslog Servers

cli% setsys RemoteSyslogSecurityHost graylog.test.org:1234

Start Service

cli% setsys RemoteSyslog 1

Graylog:

Deploy of Input Syslog TCP
Port:1234

TLS cert file:
/path/to/graylog TLS cert

TLS privat key:
/path/to/graylog TLS key

Enable TLS

TLS client authentication
required

TLS Client Auth Trustet Certs
/path/to/Primera TLS genareted cert

You have to copy the generated cert from the Primera to your Graylog.
chown: graylog:graylog
chmod: 640

Greetings
Marvin

system (system) Closed November 8, 2023, 2:32pm 8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Using Syslog with TLS Graylog Central (peer support)	5	7458	February 27, 2021
Secure Syslog Input Issues Graylog Central (peer support)	1	932	February 12, 2021
How to configure an syslog TLS input in Graylog2 Graylog Central (peer support)	1	3576	December 14, 2017
Enable Rsyslog with TLS to Graylog2 Graylog Central (peer support)	5	3305	June 17, 2019
TLS for an Input Graylog Central (peer support)	3	736	May 25, 2024