Sending logs from Synology to Graylog over TLS = "TLSV1_ALERT_UNKNOWN_CA"

Hey There, I’m building a Graylog server to keep an eye on a bunch of Synology boxes I have. I want them to use SSL/TLS but when I turn it on, I see a CA error in the server log. I’ve tried shadowCA certs for the synology, added them to the OS truststore and java keystore (I verified their in there with keytool)… No matter what I do, I get the same error whenever a Synology tries to connect to graylog over TLS (Anyone else experience this?)

2019-06-03T13:05:11.259-07:00 WARN [AbstractTcpTransport] Client auth configured, but no authorized certificates / certificate authorities configured for input [Syslog TCP/5ce5b8d6fe4050505a2c4c4a]
2019-06-03T13:05:12.807-07:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ce5b8d6fe4050505a2c4c4a] (channel [id: 0xc70eb333, L:/10.1.1.5:6514 ! R:/192.168.0.5:39297]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA)

My question:

  1. How do I assign authorized certificates / certificate authorities to an input (as the error suggests)?

I suspect that I’m going to be forced to use rsyslog as a TLS server for these Synology boxes and tell graylog to monitor that but figured I’ve give a shout out here 1st to help me translate the error message.

1 Like

So how does your Syslog configuration in Graylog look like?

----------------Syslog 6514/tcp
allow_override_date:
true
bind_address:
0.0.0.0
expand_structured_data:
true
force_rdns:
false
max_message_size:
2097152
number_worker_threads:
2
override_source:

port:
6514
recv_buffer_size:
1048576
store_full_message:
true
tcp_keepalive:
false
tls_cert_file:
/etc/graylog/ssl/signed/graylog-1_bundle.pem
tls_client_auth:
optional
tls_client_auth_cert_file:

tls_enable:
true
tls_key_file:
/etc/graylog/ssl/signed/graylog-1_bundle.pem
tls_key_password:
********
use_null_delimiter:
false


I should have specified, that the input works as expected in that I can connect via TLS using openSSL s_client. It is the Synology “Log Sending” UI that I cant get to connect to it for the life of me.

admin@Synology-16:~$ openssl s_client -CApath /etc/ssl/certs/ -connect 10.1.1.5:6514 -tls1_2 -tlsextdebug
CONNECTED(00000003)
TLS server extension "renegotiation info" (id=65281), len=1
0000 - 00                                                .
TLS server extension "EC point formats" (id=11), len=2
0000 - 01 00                                             ..
depth=0 C = US, ST = California, O = "Company, Inc.", OU = Software, CN = graylog-1.local.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, O = "Company, Inc.", OU = Software, CN = graylog-1.local.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/O=Company, Inc./OU=Software/CN=graylog-1.local.com
   i:/C=US/ST=California/O=Company, Inc./OU=Software/CN=Company Intermediate CA02
---
Server certificate
-----BEGIN CERTIFICATE-----
ABCDEFG --SNIPED OUT FOR PRIVACY

ABCDEFG --SNIPED OUT FOR PRIVACY

ABCDEFG --SNIPED OUT FOR PRIVACY

ABCDEFG --SNIPED OUT FOR PRIVACY

ABCDEFG --SNIPED OUT FOR PRIVACY

==
-----END CERTIFICATE-----
subject=/C=US/ST=California/O=Company, Inc./OU=Software/CN=graylog-1.local.com
issuer=/C=US/ST=California/O=Company, Inc./OU=Software/CN=Company Intermediate CA02
---
Acceptable client certificate CA names

/C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
/C=US/O=SecureTrust Corporation/CN=SecureTrust CA
/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
/C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2015
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4
/C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015
/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority
/C=FR/O=OpenTrust/CN=OpenTrust Root CA G1
/C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2
/C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority
/C=US/O=AffirmTrust/CN=AffirmTrust Commercial
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
/C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC
/C=FI/O=Sonera/CN=Sonera Class2 CA
/C=US/ST=California/L=San_Diego/O=graylog-shadowCA/OU=Support graylog-shadowCA/CN=graylog-shadowCA (by Company SYSTEMS INC.)/emailAddress=itadmin@local.com
/C=US/ST=California/O=Company, Inc./OU=Software/CN=Company Intermediate CA01
/C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
/C=US/ST=California/O=Company, Inc./OU=Software/CN=Company Root CA
/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
/C=FR/O=Certinomis/OU=0002 433998903/CN=Certinomis - Root CA
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
/C=US/O=Internet Security Research Group/CN=ISRG Root X1
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-1
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA
/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
/C=US/ST=California/O=Company, Inc./OU=Software/CN=Company Intermediate CA02
/C=US/O=GeoTrust Inc./CN=GeoTrust Universal CA 2
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
/C=FR/O=OpenTrust/CN=OpenTrust Root CA G2
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G3
/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=FR/O=OpenTrust/CN=OpenTrust Root CA G3
/C=TR/L=Ankara/O=T\xC3\x9CRKTRUST Bilgi \xC4\xB0leti\xC5\x9Fim ve Bili\xC5\x9Fim G\xC3\xBCvenli\xC4\x9Fi Hizmetleri A.\xC5\x9E./CN=T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5
/C=US/O=AffirmTrust/CN=AffirmTrust Networking
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
/C=US/O=AffirmTrust/CN=AffirmTrust Premium
/C=TW/O=Government Root Certification Authority
/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
/C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Root Certification Authority
/C=LU/O=LuxTrust S.A./CN=LuxTrust Global Root 2
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
/CN=Atos TrustedRoot 2011/O=Atos/C=DE
/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority RSA R2
/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
/C=JP/O=Japan Certification Services, Inc./CN=SecureSign RootCA11
/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority ECC
/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-2
/C=TR/L=Gebze - Kocaeli/O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK/OU=Kamu Sertifikasyon Merkezi - Kamu SM/CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
/C=US/O=SecureTrust Corporation/CN=Secure Global CA
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 3
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3
/C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor ECA-1
/C=FR/O=Certplus/CN=Class 2 Primary CA
/C=CH/O=WISeKey/OU=Copyright (c) 2005/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GA CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority
/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT
/OU=GlobalSign ECC Root CA - R5/O=GlobalSign/CN=GlobalSign
/C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
/C=US/O=IdenTrust/CN=IdenTrust Public Sector Root CA 1
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
/O=TeliaSonera/CN=TeliaSonera Root CA v1
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
/C=US/O=VISA/OU=Visa International Service Association/CN=Visa eCommerce Root
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G4
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA
/C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2
/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com Root Certification Authority RSA
/C=US/O=Amazon/CN=Amazon Root CA 4
/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.dom
/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
/O=Digital Signature Trust Co./CN=DST Root CA X3
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 EV 2009
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
/C=RO/O=certSIGN/OU=certSIGN ROOT CA
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2
/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
/C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
/C=ES/O=IZENPE S.A./CN=Izenpe.com
/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3
/C=US/ST=California/O=Company, Inc./OU=Software/CN=graylog-1.local.com
/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Services Root Certificate Authority - G2
/C=CH/O=WISeKey/OU=OISTE Foundation Endorsed/CN=OISTE WISeKey Global Root GB CA
/C=US/O=Amazon/CN=Amazon Root CA 3
/C=US/ST=California/O=Company, Inc./OU=Software/CN=bs2.mgmt.local.com
/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3
/C=HU/L=Budapest/O=Microsec Ltd./CN=Microsec e-Szigno Root CA 2009/emailAddress=info@e-szigno.hu
/C=HU/L=Budapest/O=NetLock Kft./OU=Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3k (Certification Services)/CN=NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny
/C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis Authentication Root CA
/C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
/C=US/ST=California/O=Company, Inc./OU=Software/CN=CompanyCA/emailAddress=itadmin@local.com
/C=FR/O=Certplus/CN=Certplus Root CA G1
/C=FR/O=Dhimyotis/CN=Certigna
/C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority
/CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
/C=BM/O=QuoVadis Limited/OU=Root Certification Authority/CN=QuoVadis Root Certification Authority
/C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority ECC
/C=NO/O=Buypass AS-983163327/CN=Buypass Class 3 Root CA
/C=US/O=thawte, Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G2
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
/O=Cybertrust, Inc/CN=Cybertrust Global Root
/C=US/O=Amazon/CN=Amazon Root CA 1
/C=GB/O=Trustis Limited/OU=Trustis FPS Root CA
/C=CN/O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD./CN=GDCA TrustAUTH R5 ROOT
/C=US/O=Amazon/CN=Amazon Root CA 2
/OU=GlobalSign ECC Root CA - R4/O=GlobalSign/CN=GlobalSign
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
/C=EE/O=AS Sertifitseerimiskeskus/CN=EE Certification Centre Root CA/emailAddress=pki@sk.ee
/C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
/C=FR/O=Certplus/CN=Certplus Root CA G2
/C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC
/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G2
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
/C=PL/O=Krajowa Izba Rozliczeniowa S.A./CN=SZAFIR ROOT CA2
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:0x04+0x08:RSA+SHA256:ECDSA+SHA384:0x05+0x08:RSA+SHA384:0x06+0x08:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:RSA+SHA512:RSA+SHA1
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 18126 bytes and written 2345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F14C347BCC7A86C09E063DB267DB90D77E4DC95975DC395BB8E049815C53F5E3
    Session-ID-ctx:
    Master-Key: 123456-SNIPED_FOR_PRIVACY-654321
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1559662135
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

HELLO WORLD!!!!

^C

admin@Synology-16:~$

//////END
I see “HELLO WORLD!!!” populate on gl2_source_input as it should.
The issue seams centered around Synology UI using some weird SSL/TLS standard but my chats with their support desk end with them wanting me to use Synology for syslog, not Graylog… :frowning:

PS. I finaly figured out where Synology hides it’s syslog-ng.conf file and I’ll be working on that today and report back if I find anything to make it graylog+tls firendly.

admin@Synology-16:$ cat /var/packages/LogCenter/target/etc/syslog-ng/patterndb.d/pkg-LogCenter-client.conf

filter f_syno_client_fac {program(System type("string")) or program(Connection type("string")) or program(FtpFileTransfer type("string")) or program(FileStation type("string")) or program(WinFileService type("string")) or program(MacFileService type("string")) or program(Webdav type("string")) or program(Backup type("string")) or program(NetworkBackup type("string"))};
filter f_syno_client_sev { level(emerg,alert,crit,err,warning,notice,info); };
destination d_syno_internet {
    syslog(
            "10.1.1.5"
            port(6514)
            transport(tls)
            ip-protocol(4)
            tls(ca_dir("/var/packages/LogCenter/target/service/conf/client_keys"))
            log_fifo_size(50000)
    );
};
log { source(s_syno_syslog); filter(f_syno_client_sev); filter(f_syno_client_fac); destination(d_syno_internet); };
1 Like

No dice. Today I added certificates to the Synology’s OS trust store…
Graylog’s server.log gives the same “OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA” error with signed, self signed, or even with no certificates specified on the syslog input.

Since openssl s_client works, I don’t think Synology is compatible with Graylog’s Syslog Input…

1 Like

Sorry I never had used Syslog-NG with Client authentication. But are you sure that the single line is enough?

            tls(ca_dir("/var/packages/LogCenter/target/service/conf/client_keys"))

Because when I look into the Syslog-NG Documentation ( https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/mutual-authentication-using-tls/2 ) I can see this:

destination demo_tls_destination {
    network("172.16.177.147" port(6514)
    transport("tls")
    tls( ca-dir("/etc/syslog-ng/ca.d")
         key-file("/etc/syslog-ng/cert.d/clientkey.pem")
         cert-file("/etc/syslog-ng/cert.d/clientcert.pem") )
    ); };

log { source(src); destination(demo_tls_destination); };

what let me believe that somthing in your configuration is not complete …

For S&G I went ahead and hard coded the cert/key-file variables and also added peer-verify(no)::

root@Synology-16:/var/packages/LogCenter/target/etc/syslog-ng/patterndb.d# cat pkg-LogCenter-client.conf
filter f_syno_client_fac {program(System type("string")) or program(Connection type("string")) or program(FtpFileTransfer type("string")) or program(FileStation type("string")) or program(WinFileService type("string")) or program(MacFileService type("string")) or program(Webdav type("string")) or program(Backup type("string")) or program(NetworkBackup type("string"))};
filter f_syno_client_sev { level(emerg,alert,crit,err,warning,notice,info); };
destination d_syno_internet {
        syslog( 
                "10.1.1.5"
                port(6514)
                transport(tls)
                ip-protocol(4)
                tls(ca_dir("/var/packages/LogCenter/target/service/conf/client_keys")
                key-file("/var/packages/LogCenter/target/service/conf/client_keys/key.pem")
                cert-file("/var/packages/LogCenter/target/service/conf/client_keys/crt.pem") )
                log_fifo_size(50000)
                peer-verify(no)
        );
};
log { source(s_syno_syslog); filter(f_syno_client_sev); filter(f_syno_client_fac); destination(d_syno_internet); };

root@Synology-16:/var/packages/LogCenter/target/etc/syslog-ng/patterndb.d# /usr/syno/etc/rc.sysv/syslog-ng.sh reload
syslog-ng start/running
syslog-ng start/running, process 472

GRAYLOG Still reporting Unknown CA from Synology devices configured with TLS/SSL… :frowning:

2019-06-05T10:53:39.307-07:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ce5b8d6fe4050505a2c4c4a] (channel [id: 0x87ebbe35, L:/graylog-1:6514 ! R:/Synology-16
0:42703]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA)
1 Like

GRAYLOG Still reporting Unknown CA from Synology devices configured with TLS/SSL… :frowning:

But that is easy to solve.

Please answer the question:

  • Is Graylog able to verify the Certificate that is present?

Does Graylog trust the CA that has created the certificate or does Graylog trust this certificate directly? Both sides need to trust the other sides certificate and verify them.

This has been my headache all week. Yes the Centos/7 box I’m running Graylog on has the certificates and authority chain loaded onto it.

OPENSSL CA Verification from Graylog:

[admin@graylog-1 signed]$ openssl verify -purpose sslserver -CAfile CA.crt Synology-16.crt.pem
Synology-16.crt.pem: OK
[admin@graylog-1 signed]$ openssl verify -purpose sslserver -CAfile CA.crt graylog-1.crt.pem
graylog-1.crt.pem: OK

OPENSSL CA Verification from Synology:
root@Synology-16:~/client-keys# sudo openssl verify -verbose /var/packages/LogCenter/target/service/conf/client_keys/ca.crt
/var/packages/LogCenter/target/service/conf/client_keys/ca.crt: C = US, ST = California, O = "Company, Inc.", OU = Software, CN = Company Root CA
error 18 at 0 depth lookup:self signed certificate
OK

I suspect the message I see in server.log…

2019-06-06T13:28:49.833-07:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ce5b8d6fe4050505a2c4c4a] (channel [id: 0x0cff0158, L:/Graylog-1:6514 ! R:/Synology-16:36790]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000418:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA)

… is actually coming from the log Sender Synology not from Graylog. Since my company is a CA, I decided to create 2 signed crt/lkey pairs for graylog and synology in PEM format. I upload the signed certs to the Synology’s /etc/ssl/certs directory along with the CA.pem and CAchain.pem’s… I still see the unknown CA message. I’m going to keep bugging Synology for an answer.

1 Like

@SoMoney

did you checked if the Graylog JVM/JKS can verify the certificate? please keep in mind that the JVM does not always use the system certificates to verify the certificates but its own keystore.

you might find this part of the documentation helpful: http://docs.graylog.org/en/3.0/pages/secure/securing.html

I think you mean import certificates into the java-key-store using keytool?

Yes sir, in a moment of desperation I did add my Synology’s certificate bundle into the JKS, although I do not believe it is necessary as I have several smtp servers logging to graylog via rsyslog.d over TLS without touching the JavaKeyStore.

#Steps to Verify Synology is in JKS

@graylog ~]$ sudo keytool -import -alias synology-16-cert -file Synology.certANDkey.pkcs8.plain.pem -keystore publicKey.store
[yes/no]: yes

@graylog ~]$ sudo keytool -list
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

Synology-16.domain.com, Jun 14, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): 06:62:SnippedForPrivacy:44:D8
tstkey, May 30, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 3B:AF:SnippedForPrivacy:8E:6A
graylog.domain.com, May 30, 2019, trustedCertEntry, 
Certificate fingerprint (SHA1): A5:91:SnippedForPrivacy:C2:E0
shadow-ca, Jun 14, 2019, trustedCertEntry,  
Certificate fingerprint (SHA1): 
0B:DF:SnippedForPrivacy:9E:1F

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /root/.keystore -destkeystore /root/.keystore -deststoretype pkcs12".
@graylog ~]$

We still see:

2019-06-14T11:23:31.409-07:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/5ce5b8d6fe4050505a2c4c4a] (channel [id: 0x4efb2de5, L:/10
.1.1.5:6514 ! R:/192.168.0.5:57309]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000418:SS
L routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA)

just to be sure - did you include the Keystore in the startup parameters of Graylog?

Yes sir, while debugging java & tls I copied the keystore over to /etc/graylog/server/cacerts.jks , added my company CA’s and shadowCA to it, and tweaked my JAVA_OPTS like so::

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/server/cacerts.jks -Djavax.net.debug=all"

NO LUCK…
Synology at this time just will not Syslog over SSL/TLS… =(