Syslog Server Test Message Errors - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-22
Last date published
2023-09-25
Category
Administrator Guide

When configuring a syslog message, Cortex XDR sends a test message. If a test message cannot be sent, Cortex XDR displays an error message to help you troubleshoot. Below are the descriptions and suggested solutions for the error messages.

Error Message

Description

Suggested Solution

Host Resolving Failed

The IP address or hostname you provided doesn't exist, or can't be resolved.

Ensure you have the correct IP address or the hostname.

Configured Local Address

The IP address or hostname you provided is internal and can't be used.

Ensure you have the correct IP address or the hostname.

Wrong Certificate Format

The certificate you uploaded is in an unexpected format and can't be used. The certificate must be an ASCII string or a bytes-like object.

Re-create the certificate in the correct format, for example:

-----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyGdh6BNRQyp406bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVVJTLUNoYXJsaWVBbHBoYS1Sb290MB4XDTIwMDQzMDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1DaGFybGllQWxwaGEtUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9lOIu6rrtF9opYeIJdtgJR2Le7w4M56lFKIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnaofbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q+vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBbsypMT3z8jmSj7Kz5ui6R8mlqtll5MkIGtvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dCIhBvGMzGEj47Cb0c/eNt6tHrPThyzRxOHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWRgB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+xIkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNePJ+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0VcuzBCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua/kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGnDOjTzRh4-----END CERTIFICATE-----

Connection Timed Out

Cortex XDR didn’t connect to the syslog server in the expected time. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Connection Refused

The syslog server refused the connection. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Connection Reset

The connection was reset by the syslog server. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Certificate Verification Failed

The uploaded certificate couldn’t be verified for one of the following reasons.

  • The certificate doesn't correspond to the certificate on the syslog server and can't be validated.

  • The certificate doesn’t have the correct hostname.

  • You are using a certificate chain and didn’t merge the certificates into one certificate.

  • Incorrect certificate—to check that the certificate you are uploading corresponds to the server syslog certificate, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

  • Incorrect hostname—make sure that the hostname/ip in the certificate matches the syslog server.

  • Certificate chain—If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.

    cat intermediate_cert root_cert > merged_syslog.crt       

    If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.

    To verify that the chain certificate was saved correctly, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

Connection Terminated Abruptly

The firewall or the syslog server dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog server drops the connection, or the network is unstable.

Check the firewall logs and the connection using WireShark.

Host Unreachable

The network configuration is faulty and the connection can't reach the syslog server.

Check the network configuration to make sure that everything is configured correctly like a firewall or a load balancer which may be accidentally directing the connection to a dead server.

SSL Error

Unknown SSL error.

To investigate the issue, contact support.

Connection Unavailable

General error.

To investigate the issue, contact support.