Syslog Server Test Message Errors - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

Learn more about Syslog Server test message errors.

When configuring a syslog server, Cortex XSOAR sends a test message. You can also manually send a test message by going to Settings & InfoSettingsIntegrationsSyslog ServersNew Server, right-clicking on the forwarding notification, and choosing Send test message. If a test message cannot be sent, Cortex XSOAR displays an error message to help you troubleshoot. Below are the descriptions and suggested solutions for the error messages.

Error Message

Description

Suggested Solution

Host Resolving Failed

The IP address or hostname you provided doesn't exist, or can't be resolved.

Ensure you have the correct IP address or hostname.

Configured Local Address

The IP address or hostname you provided is internal and can't be used.

Ensure you have the correct IP address or hostname.

Wrong Certificate Format

The certificate you uploaded is in an unexpected format and can't be used. The certificate must be an ASCII string or a bytes-like object.

Re-create the certificate in the correct format, for example:

-----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyG dh6BNRQyp40 6bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVV JTLUNoYXJsaWVBbHBoYS1Sb290MB 4XDTIwMDQz MDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1Da GFybGllQWxwaGEtUm9vdDCCASI wDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9 lOIu6rrtF9opYeIJdtgJR2Le7w4M56lF KIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnao fbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q +vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj 9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM 7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBb sypMT3z8jmSj7Kz5ui6R8mlqtll5MkIG tvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME 8wCwYDVR0PBAQDAgGGMA8GA1UdEwE B/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/ 9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqG SIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dC IhBvGMzGEj47Cb0c/eNt6tHrPThyzRx OHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWR gB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+x IkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNeP J+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0Vcuz BCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua /kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGn DOjTzRh4-----END CERTIFICATE-----

Connection Timed Out

Cortex XSOARdidn’t connect to the syslog server in the expected time. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using a tool such as WireShark.

Connection Refused

The syslog server refused the connection. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using a tool such as WireShark.

Connection Reset

The connection was reset by the syslog server. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using a tool such as WireShark.

Certificate Verification Failed

The uploaded certificate couldn’t be verified for one of the following reasons.

  • The certificate doesn't correspond to the certificate on the syslog server and can't be validated.

  • The certificate doesn’t have the correct hostname.

  • You are using a certificate chain and didn’t merge the certificates into one certificate.

  • Incorrect certificate—to check that the certificate you are uploading corresponds to the server syslog certificate, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

  • Incorrect hostname—make sure that the hostname/ip in the certificate matches the syslog server.

  • Certificate chain—If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.

    cat intermediate_cert root_cert > merged_syslog.crt       

    If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.

    To verify that the chain certificate was saved correctly, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

Connection Terminated Abruptly

The firewall or the syslog server dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog server drops the connection, or the network is unstable.

Check the firewall logs and the connection using a tool such as WireShark.

Host Unreachable

The network configuration is faulty and the connection can't reach the syslog server.

Check the network configuration to verify everything is configured correctly, such as a firewall or a load balancer which may be accidentally directing the connection to a dead server.

SSL Error

Unknown SSL error.

To investigate the issue, contact Cortex XSOARsupport.

Connection Unavailable

General error.

To investigate the issue, contact Cortex XSOAR support.