Strata Logging Service stopped forwarding logs to syslog server due to certificate expiry

Strata Logging Service stopped forwarding logs to syslog server due to certificate expiry

5063
Created On 10/03/24 22:15 PM - Last Modified 01/10/25 03:33 AM


Symptom


  • Strata Logging Service stops log forwarding to syslog_ng.
  • The "Test Connection" on Strata logging service reports error (Log Forwarding->Log forwarding Profile->Test Connection).
  • Example, This example illustrates the certificate on syslog server expired on Sep 23, 2024.

image.png

  • On the Syslog_ng (Syslog server), the certificate id displayed as unknown (certificate unknown).

Environment


  • Prisma Access or NGFW 
  • Strata logging service 
  • Linux based syslog server called syslog_ng
  • Firewall  > Strata Logging Service > Syslog Server

Cause


The certificate on Syslog Server is expired.

Resolution


Following steps narrow down the issue along with the resolution. 

  1. Ensure that the TCP connection in ESTABLISHED state. Run the command "netstat -n | grep ESTABLISHED" on the syslog server.
  2. Ensure that the SLS Infrastructure IP for a specific region is opened within network firewalls. Refer to Strata Logging Service - Service Regions.
  3. Ensure that the certificate is valid in syslog server CLI session.

           openssl s_client -servername <NAME> -connect <HOST:PORT> 2>/dev/null | openssl x509 -noout -dates

    1. If the certificate is expired, replace with a valid one. If the certificate is not expired, contact Palo Alto technical support.
    2. Once the certificate is valid, run Test Connection on Strata Logging Service to ensure the TLS connection is stable. 
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scrpCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language