1
answer

Hi,
I am trying to use an ssl connection between client and server in "server-side authentication only" mode.
I placed the certificates in the respective /conf folder of nxlog server.
these are the current configurations:

>>> CLIENT <<<
<Output to_syslog_server>
Module om_ssl
Host 10.1.1.1
Port 516
Exec $Message = to_leef(); to_syslog_ietf();
</Output>

>>> SERVER <<<
<Input in_syslog_ssl>
Module im_ssl
Host 0.0.0.0
Port 516
CAFile %CERTDIR%/rootCA.pem
CertFile %CERTDIR%/central.crt
CertKeyFile %CERTDIR%/central.key
KeyPass password
FlowControl TRUE
AllowUntrusted TRUE
<Exec>
if $raw_event =~ /LEEF/
parse_leef();
else
parse_syslog();
</Exec>
</Input>

but it makes me this Error:

2019-09-06 17:43:26 ERROR remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found

Do you have any ideas to solve this?

Thank you
Antonio

AskedSeptember 9, 2019 - 9:54am

Answer (1)

You should check the nxlog.log on the server side for further details.

AnsweredSeptember 10, 2019 - 8:52am

Comments (4)

  • antoniosoc's picture

    hi,
    thank you for your reply
    this error is on both sides, both client and server

    thank you

    September 10, 2019 - 9:24am
  • b0ti's picture
    (NXLog)

    Then it's probably a firewall between the two that does the connection reset.

    September 10, 2019 - 9:03pm
  • antoniosoc's picture

    To remove the firewall doubt, I tried this simple configuration between two VMs that are on the same VLAN (so without a firewall in between) but it still doesn’t work.
    ideas?
    (remember that my way is to do server-side authentication and not a muthual authentication)

    >>CLIENT<<
    <Output to_syslog_server>
    Module om_ssl
    Host log.company.it
    Port 516
    CAFile %ROOT%/cert/rootCA.crt
    </Output>

    >>SERVER<<
    <Input in_ssl>
    Module im_ssl
    Host 0.0.0.0
    Port 516
    CAFile %ROOT%/cert/rootCA.crt
    CertFile %ROOT%/cert/server.crt
    CertKeyFile %ROOT%/cert/server.key
    AllowUntrusted TRUE
    FlowControl TRUE
    </Input>

    September 17, 2019 - 10:08am
  • antoniosoc's picture

    2019-09-17 13:54:45 INFO SSL connection accepted from 10.32.81.250:53882
    2019-09-17 13:54:45 DEBUG worker 6 processing event 0x130dfc0
    2019-09-17 13:54:45 DEBUG PROCESS_EVENT: POLL (in_ssl)
    2019-09-17 13:54:45 DEBUG nx_module_pollset_poll: in_ssl
    2019-09-17 13:54:45 DEBUG module in_ssl got 1 poll events
    2019-09-17 13:54:45 DEBUG Module in_ssl can read
    2019-09-17 13:54:45 DEBUG nx_event_to_jobqueue: READ (in_ssl)
    2019-09-17 13:54:45 DEBUG event added to jobqueue
    2019-09-17 13:54:45 DEBUG nx_event_to_jobqueue: POLL (in_ssl)
    2019-09-17 13:54:45 DEBUG event added to jobqueue
    2019-09-17 13:54:45 DEBUG worker 5 got signal for new job
    2019-09-17 13:54:45 DEBUG worker 5 processing event 0x130dac0
    2019-09-17 13:54:45 DEBUG worker 6 waiting for new event
    2019-09-17 13:54:45 DEBUG PROCESS_EVENT: READ (in_ssl)
    2019-09-17 13:54:45 DEBUG im_ssl_read
    2019-09-17 13:54:45 DEBUG worker 2 got signal for new job
    2019-09-17 13:54:45 DEBUG worker 2 got no event to process
    2019-09-17 13:54:45 DEBUG worker 2 waiting for new event
    2019-09-17 13:54:45 DEBUG im_ssl WANT_READ
    2019-09-17 13:54:45 DEBUG add socket [21]
    2019-09-17 13:54:45 DEBUG socket already added to pollset with reqevents [21 != 21]
    2019-09-17 13:54:45 DEBUG worker 5 processing event 0x130de80
    2019-09-17 13:54:45 DEBUG PROCESS_EVENT: POLL (in_ssl)
    2019-09-17 13:54:45 DEBUG nx_module_pollset_poll: in_ssl
    2019-09-17 13:54:45 DEBUG module in_ssl got 1 poll events
    2019-09-17 13:54:45 DEBUG Module in_ssl can read
    2019-09-17 13:54:45 DEBUG nx_event_to_jobqueue: READ (in_ssl)
    2019-09-17 13:54:45 DEBUG event added to jobqueue
    2019-09-17 13:54:45 DEBUG nx_event_to_jobqueue: POLL (in_ssl)
    2019-09-17 13:54:45 DEBUG event added to jobqueue
    2019-09-17 13:54:45 DEBUG worker 3 got signal for new job
    2019-09-17 13:54:45 DEBUG worker 3 processing event 0x130dc00
    2019-09-17 13:54:45 DEBUG PROCESS_EVENT: READ (in_ssl)
    2019-09-17 13:54:45 DEBUG worker 1 got signal for new job
    2019-09-17 13:54:45 DEBUG im_ssl_read
    2019-09-17 13:54:45 DEBUG worker 1 got no event to process
    2019-09-17 13:54:45 DEBUG worker 5 waiting for new event
    2019-09-17 13:54:45 DEBUG worker 1 waiting for new event
    2019-09-17 13:54:45 ERROR [ssl.c:258/nx_ssl_check_io_error()] remote ssl socket was reset? (SSL_ERROR_SSL with errno=9); End of file found
    2019-09-17 13:54:45 DEBUG im_ssl got disconnect
    2019-09-17 13:54:45 WARNING SSL connection closed from 10.32.81.250:53882

    September 17, 2019 - 2:01pm