Hello,

We are having issues collecting logs through TLS Syslog with PEM certificate and private key.

One of our customers has Check Point Harmony, which is kind of a SaaS FW and XDR. As this is a cloud-based product, and our QRadar is on-prem, we need to forward log from Harmony to QRadar using TLS Syslog with signed certificates. I opened a case and one of the IBM support team members helped me to create and sign certificates in the event collector. I then uploaded those certificates to Harmony. The Harmony has a "Test" button to test the connection to the event collector using those certificates, and it always fail. When I check the Log Activity in QRadar, I can see a few events, but each event contains a single weird character. It seems that QRadar can't decrypt the logs from Harmony (just guessing).

The IBM support team said that they don't support the use of TLS Syslog from Harmony so they can't assist anymore.

What are the right steps of setting a TLS Syslog log source using PEM certificate and private key? Anyone here has some experience with Check Point Harmony?

Thank you.

Hello Adir.

As a workaround please try use one P12 file containing both private and public key, instead separate files.
It means that in log source configuration, in Protocol tab, in "Server Certificate Type" you should change from "PEM Certificate and Private Key" to "PKCS12 Certificate Chain and Password". You can use openssl command to join existing certificate files into one p12 file.

I have never used "Check Point Harmony" however multiple other log source types did not work for me with TLS Syslog protocol and separate certificate files. Usually it helped when I changed to p12 file.

Regards,
Robert Karpiński