Hi Chris,
unfortunately a full deploy does not fix the problem. We deleted old certificates and downloaded new ones which cant be pinned:
log message says
Jan 12 16:56:08 127.0.0.1 ProtocolTestingThread-5b330a95-7043-444e-afca-a51f56cebe44 | [Q1X509TrustManager] [Validation] [ValidationFailed] (ecs-ec-ingress) Server Certificate Validation failed. chain:[0]X509Certificate : { SubjectDN : CN=*.blob.core.windows.net, IssuerDN : CN=Microsoft RSA TLS CA 02, O=Microsoft Corporation, C=US},[1]X509Certificate : { SubjectDN : CN=Microsoft RSA TLS CA 02, O=Microsoft Corporation, C=US, IssuerDN : CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE}, exception:com.q1labs.frameworks.crypto.trustmanager.exceptions.Q1CertificateException: checkCertificatePinning failed.
this can be tested from cli using openssl
[root@vQRadar ~]# openssl s_client -connect pro4bizz.blob.core.windows.net:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = Microsoft Corporation, CN = Microsoft RSA TLS CA 02
verify return:1
depth=0 CN = *.blob.core.windows.net
verify return:1
---
Certificate chain
0 s:/CN=*.blob.core.windows.net
i:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 02
1 s:/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 02
i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIOMTCCDBmgAwIBAgITfwAfHLqLou0OZkwxIwAAAB8cujANBgkqhkiG9w0BAQsF
...
EctpJllHLQZGV2DRG7F+KSyTc9XfGDc2b6HmjzrU8Lo+Nl4Xw5vuGCeZkVSC7/de
mct1qk2DkhcyYAZclMfBiGuIEwhhYdTHYlm5gusVI2esFbo0pw==
-----END CERTIFICATE-----
subject=/CN=*.blob.core.windows.net
issuer=/C=US/O=Microsoft Corporation/CN=Microsoft RSA TLS CA 02
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5530 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 36030000E2712BB2B318E17D2A7D59A378F545A88BAC9E457342987728BD11CC
Session-ID-ctx:
Master-Key: BEC11C18E23FFFA3FFF122949CBF3D7A4EC3D993B4A28151C91970A1230A6988 1800863F3980021CB8AD02BC37895939
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1642001304
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=104
[root@vQRadar ~]#
this is qradar specific. Works on other hosts. Pls advice
Thx
Karl
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Mon January 10, 2022 09:45 AM
From: Chris Collins
Subject: QRadar in Azure collecting Events through Azure Event Hub - FAILED
Hi Peter,
Regarding:
Error: An error occurred that represents an exception for the Microsoft Azure Storage Service.
There may be more errors either in the debug logs of the test, if you hit the gear icon in the top right of the Log Source Management app and toggle the debug option on you'll see additional logging.
If nothing shows up once the debug logs are on, check /var/log/qradar.error on the appliance doing the collection and additional info may be there. Originally in this topic a ClassNotFoundException was being hit by another user which should get resolved by a full deploy or a manual restart of ecs-ec-ingress on the affected appliance but you case could be something completely different.
Have a look and see if you can get any additional info and let us know, thanks!
------------------------------
Chris Collins
Software Architect / Technical Lead
QRadar Integration Team
Original Message:
Sent: Fri January 07, 2022 03:54 AM
From: Peter Fischer
Subject: QRadar in Azure collecting Events through Azure Event Hub - FAILED
Hi
we have a similar problem.
Checking the provided Storage Account's permissions failed with.
- Successfully parsed the Storage Account Connection String
- Successfully created a reference to the Storage Account Container : aadeventhub-test
- Checking if the container exist and creating it if it doesn't exist.
- Error: An error occurred that represents an exception for the Microsoft Azure Storage Service.
- Error: Unable to connect to the Storage Account [XXX]. Ensure that the Storage Account Connection String is valid and that QRadar can connect to [XXX.blob.core.windows.net]
- Error: The error didn't provide an error message that could be posted.
The checks above are passed. So
Attempting to parse the Event Hub Connection String. - Passed
Attempting to parse the Storage Account Connection String. - Passed
Testing DNS resolution of [XXX.servicebus.windows.net] - Passed
- Successfully resolved [XXX.servicebus.windows.net] to IP [51.107.58.132]
Testing TCP connection to [XXX.servicebus.windows.net:5671] - Passed
- Attempting TCP connection to [XXX.servicebus.windows.net:5671] with a timeout of 10000 ms
- Successful TCP connection to [XXX.servicebus.windows.net:5671]
Testing TCP connection to [XXX.servicebus.windows.net:5672] - Passed
- Attempting TCP connection to [XXX.servicebus.windows.net:5672] with a timeout of 10000 ms
- Successful TCP connection to [XXX.servicebus.windows.net:5672]
Testing DNS resolution of [XXX.blob.core.windows.net] - Passed
- Successfully resolved [XXX.blob.core.windows.net] to IP [52.239.251.68]
Testing TCP connection to [XXX.blob.core.windows.net:443] - Passed
- Attempting TCP connection to [XXX.blob.core.windows.net:443] with a timeout of 10000 ms
- Successful TCP connection to [XXX.blob.core.windows.net:443]
Does anyone know how to solve the problem?
Thank's for your help.
Cheers
Peter
------------------------------
Peter Fischer
Original Message:
Sent: Fri March 12, 2021 08:16 AM
From: BrunoMarX
Subject: QRadar in Azure collecting Events through Azure Event Hub - FAILED
Hi community,
I went through this forum and checked older posts related to the QRadar-Azure integration and could not find an answer.
My Setup:
QRadar in Azure in Tenant #1
Sign-In and Audit Logs from Tentant #1 are sent to an Event Hub in the same tentant.
My Problem:
Mar 12 12:50:40 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-6976] java.lang.NoSuchMethodError: com/q1labs/semsources/sources/utils/GatewayLogSourcePatternParser.setupSourceNameModifier(Ljava/util/List;)Ljava/util/List; (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_common.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b) called from class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider (loaded from file:/opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs/q1labs_semsources_protocol_microsoftazureeventhubs.jar by com.q1labs.core.util.classloader.ChildFirstClassLoader$ChildURLClassLoader@6035a74b).
Mar 12 12:17:51 ::ffff:IP [ecs-ec-ingress.ecs-ec-ingress] [Thread-4546] com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsSource: [ERROR] [NOT:0070003100][IP- -] [-/- -]There appears to be a configuration issue with the provider connection 'class com.q1labs.semsources.sources.microsoftazureeventhubs.MicrosoftAzureEventHubsProvider7'.
There are some similar threads here without solution:
https://www.ibm.com/mysupport/s/question/0D50z00006PFbmfCAD/errors-connecting-to-azure-event-hub?language=de
https://www.ibm.com/mysupport/s/question/0D50z00006PEGdKCAX/errors-connecting-to-azure-event-hub-protocol-error?language=de
What I've done so far?
- I've followed this guideline https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_logsource_Microsoft_Azure_Event_Hubs_protocol.html
and repeated this step many times. (Created the log source manually and also looked for auto discovered log sourcesI also asked another colleague to do the same. We both had the same problem.
. https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_ms_azure_troubleshooting.html
We also tried to do some troubleshooting, but couldn't find any solution.
Telnet to Storage Account and Event Hub Namespace work. Ports are open.
We also created Event Hubs Namespaces and Eventhubs and allowed mostly everything to be sure it was not any permission problem.
The same with Storage Account.
Have we slipped up somewhere?
Thank you!
Greetings,
Bruno
------------------------------
BrunoMarX
------------------------------