Skip to main content
JohnMacDonald
JohnMacDonald
New Member
September 2, 2021
Question

FortiSIEM Collector (6.3) and TLS not working

  • September 2, 2021
  • 1 reply
  • 1413 views
Hello,

We have followed the instructions to use  Syslog TLS: https://docs.fortinet.com/document/fortisiem/6.3.1/external-systems-configuration-guide/136807/syslog-over-tls However while the TLS port 6514 is open and responsive the connection does not complete the TLS handshake. I have verified that the collector is configured for using TLS1.3, if we test the localhost built in certificate on port 443 it is successful. We have verified the client can connect to the TCP port 6514.

e.g.

Successful:
openssl s_client -connect servername.com:443 -debug

Fails:
openssl s_client -connect servername.com:6514 -debug


We have been researching and testing with openssl commands to verify the certificate, but when we run any tests against the TCP 6514 it hangs at "CONNECTED(00000003)" and never finishes. The self-signed cert we generated appears good.

Has anyone else encountered this issue, or have suggestions?

Regards,

John

    1 reply

    KenMick
    Staff
    KenMick
    Staff
    September 3, 2021
    Hi John,

    I just ran through this on a 6.3.0 and it seems to be working perfectly.

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt  chmod 640 /etc/pki/tls/private/tls-collector1.key  chown root:admin /etc/pki/tls/private/tls-collector1.key  chmod 644 /etc/pki/tls/certs/tls-collector1.crt​

    Then edit /opt/phoenix/config/phoenix_config.txt and update these two lines
     
    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt  tls_key_file=/etc/pki/tls/private/tls-collector1.key


    Finally, execute this command and wait for the phParser process to recover
    killall -9 phParser


    Afterwards, validate

    echo -n | openssl s_client -connect localhost:6514


    ------------------------------
    Ken
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: Sep 02, 2021 02:28 PM
    From: John MacDonald
    Subject: FortiSIEM Collector (6.3) and TLS not working

    Hello,

    We have followed the instructions to use  Syslog TLS: https://docs.fortinet.com/document/fortisiem/6.3.1/external-systems-configuration-guide/136807/syslog-over-tls However while the TLS port 6514 is open and responsive the connection does not complete the TLS handshake. I have verified that the collector is configured for using TLS1.3, if we test the localhost built in certificate on port 443 it is successful. We have verified the client can connect to the TCP port 6514.

    e.g.

    Successful:
    openssl s_client -connect servername.com:443 -debug

    Fails:
    openssl s_client -connect servername.com:6514 -debug


    We have been researching and testing with openssl commands to verify the certificate, but when we run any tests against the TCP 6514 it hangs at "CONNECTED(00000003)" and never finishes. The self-signed cert we generated appears good.

    Has anyone else encountered this issue, or have suggestions?

    Regards,

    John
    JohnMacDonald
    JohnMacDonaldAuthor
    New Member
    September 17, 2021
    Ken,

    Appreciate you testing the steps and confirm that they worked. I ended up creating a new certificate and this time it worked. The troubleshooting
    took awhile as the actual error was not in any SSL logs in Linux but in the phoenix log. Hopefully using TLS over TCP to forward syslog-ng logs
    will work.

    Thanks again.

    John-------------------------------------------
    Original Message:
    Sent: Sep 03, 2021 08:28 AM
    From: Ken Mickeletto
    Subject: FortiSIEM Collector (6.3) and TLS not working

    Hi John,

    I just ran through this on a 6.3.0 and it seems to be working perfectly.

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crtchmod 640 /etc/pki/tls/private/tls-collector1.keychown root:admin /etc/pki/tls/private/tls-collector1.keychmod 644 /etc/pki/tls/certs/tls-collector1.crt​

    Then edit /opt/phoenix/config/phoenix_config.txt and update these two lines
    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crttls_key_file=/etc/pki/tls/private/tls-collector1.key


    Finally, execute this command and wait for the phParser process to recover
    killall -9 phParser


    Afterwards, validate

    echo -n | openssl s_client -connect localhost:6514


    ------------------------------
    Ken
    ------------------------------

    Original Message:
    Sent: Sep 02, 2021 02:28 PM
    From: John MacDonald
    Subject: FortiSIEM Collector (6.3) and TLS not working

    Hello,

    We have followed the instructions to use  Syslog TLS: https://docs.fortinet.com/document/fortisiem/6.3.1/external-systems-configuration-guide/136807/syslog-over-tls However while the TLS port 6514 is open and responsive the connection does not complete the TLS handshake. I have verified that the collector is configured for using TLS1.3, if we test the localhost built in certificate on port 443 it is successful. We have verified the client can connect to the TCP port 6514.

    e.g.

    Successful:
    openssl s_client -connect servername.com:443 -debug

    Fails:
    openssl s_client -connect servername.com:6514 -debug


    We have been researching and testing with openssl commands to verify the certificate, but when we run any tests against the TCP 6514 it hangs at "CONNECTED(00000003)" and never finishes. The self-signed cert we generated appears good.

    Has anyone else encountered this issue, or have suggestions?

    Regards,

    John
    Terms & ConditionsAccessibility statement