Hi!,
I am trying to ingest Palo Alto Firewall syslogs from Devo SIEM, to do that, I had to implement Stunnel on my relay server but in the installation part, I got this error message (I couldn't start stunnel service and I set all the configs as mentioned below links);
devo-relay-server:/etc/stunnel# systemctl status stunnel4.service × stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons) Loaded: loaded (/etc/init.d/stunnel4; generated) Active: failed (Result: exit-code) since Fri 2024-06-14 13:42:04 UTC; 58min ago Docs: man:systemd-sysv-generator(8) CPU: 27ms
Jun 14 13:42:04 -devo-relay-server stunnel4[4032]: [.] Reading configuration from file /etc/stunnel/stunnel.conf Jun 14 13:42:04 -devo-relay-server stunnel4[4032]: [.] UTF-8 byte order mark not detected Jun 14 13:42:04 -devo-relay-server stunnel4[4032]: [!] /etc/stunnel/stunnel.conf:6: "setuid = test": Illegal UID Jun 14 13:42:04 -devo-relay-server stunnel4[4032]: [!] Configuration failed Jun 14 13:42:04 -devo-relay-server stunnel4[4032]: [ ] Deallocating temporary section defaults Jun 14 13:42:04 -devo-relay-server stunnel4[4018]: failed Jun 14 13:42:04 -devo-relay-server stunnel4[4018]: You should check that you have specified the pid= in you configuration file Jun 14 13:42:04 -devo-relay-server systemd[1]: stunnel4.service: Control process exited, code=exited, status=1/FAILURE Jun 14 13:42:04 -devo-relay-server systemd[1]: stunnel4.service: Failed with result 'exit-code'. Jun 14 13:42:04 -devo-relay-server systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons). root@-devo-relay-server:/etc/stunnel#
--------------------------------------------------------------
My conf file;
/etc/stunnel/stunnel.conf
; ************************************************************************** ; * Global options * ; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root setuid = test setgid = test
; PID file is created inside the chroot jail (if enabled) pid = /var/run/stunnel4/stunnel.pid
; Debugging stuff (may be useful for troubleshooting) ;foreground = yes ;debug = debug output = /var/log/stunnel4/stunnel.log
[firewall_tunnel] client = no accept = 6515 connect = 127.0.0.1:13005 cert = /etc/pki/stunnel/cert_SyslogCert-Devo.pem verifyChain = yes verifyPeer = yes CAfile = /etc/pki/stunnel/cert_RootCA-Devo.crt
--------------------------------------------------------------
/etc/default/stunnel4 file;
# /etc/default/stunnel # Julien LEMOINE speedblue@debian.org # September 2003 ENABLED=1 FILES="/etc/stunnel/*.conf" OPTIONS=""
# Change to one to enable ppp restart scripts PPP_RESTART=0
# Change to enable the setting of limits on the stunnel instances # For example, to set a large limit on file descriptors (to enable # more simultaneous client connections), set RLIMITS="-n 4096" # More than one resource limit may be modified at the same time, # e.g. RLIMITS="-n 4096 -d unlimited" RLIMITS=""
--------------------------------------------------------------
Does anyone have knowledge about the issue?
The links which I got support.
https://docs.devo.com/space/latest/94663679/Sending+Palo+Alto+events+to+Devo... https://docs.devo.com/space/latest/96469881/Sending+SSL%2FTLS+encrypted+even...
-
jeykipamca@hotmail.com