Input can't received the log


#1

Hello

I send log form my post with nxlog
i got this error on my log graylog

2018-06-28T11:06:59.275+02:00 ERROR [NettyTransport] Error in Input [GELF TCP/5b3493994ceaefe0cbb027f7] (channel [id: 0x73af22df, /`192.168.10.1:64378 => /192.168.10.10:16666])
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_171]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:1.8.0_171]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:1.8.0_171]
        at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:1.8.0_171]
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:1.8.0_171]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:1.8.0_171]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_171]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_171]
        at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1219) ~[graylog.jar:?]
        at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852) ~[graylog.jar:?]
        at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) ~[graylog.jar:?]
        at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[graylog.jar:?]
        at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[graylog.jar:?]
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) [graylog.jar:?]
        at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) [graylog.jar:?]
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [graylog.jar:?]
        at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) [graylog.jar:?]
        at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [graylog.jar:?]
        at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
        at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_171]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_171]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]

i got one certificat auto-siged and this ligne say unknow_ca dont understand my conf nxlog

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERT C:\Program Files (x86)\nxlog\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log


<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
<QueryXML>
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[timediff(@SystemTime) &lt;= 3600]]]</Select>
  </Query>
</QueryList>
</QueryXML>
</Input>

<Extension gelf>

    Module xm_gelf

</Extension>

<Output out>

    Module      om_ssl
    Host        192.168.10.10
    Port        16666
    OutputType  GELF_TCP
    CertFile    %CERT%\graylog-is-cert.pem
    CertKeyFile %CERT%\graylog-is-key.pem
    KeyPass secret
    AllowUntrusted TRUE
</Output>

<Route 1>
    Path        in => out
</Route>

my input

bind_address:
 0.0.0.0
decompress_size_limit:
 8388608
max_message_size:
 2097152
override_source:
 <empty>
port:
 16666
recv_buffer_size:
 1048576
tcp_keepalive:
 false
tls_cert_file:
 /etc/graylog/server/certificats/graylog-is-cert.pem
tls_client_auth:
 disabled
tls_client_auth_cert_file:
 <empty>
tls_enable:
 true
tls_key_file:
 /etc/graylog/server/certificats/graylog-is-key.pem
tls_key_password:
 ********
use_null_delimiter:
 true

log nxlog

2018-06-28 11:14:44 INFO successfully connected to 192.168.10.10:16666
2018-06-28 11:14:44 INFO reconnecting in 1 seconds
2018-06-28 11:14:44 ERROR SSL certificate verification failed: unable to verify the first certificate (err: 21)
2018-06-28 11:14:45 INFO connecting to 192.168.10.10:16666
2018-06-28 11:14:45 INFO successfully connected to 192.168.10.10:16666
2018-06-28 11:14:45 INFO reconnecting in 1 seconds
2018-06-28 11:14:45 ERROR SSL certificate verification failed: unable to verify the first certificate (err: 21)

#2

The certificat was bad i do a new certificat


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.