There is a noticeable drop in the number of log events received in Aria Operations for Logs from any host which has been switched to use SSL for its syslog protocol.
Symptoms may also present as the following error messages in log files detailed below:
Filename: /storage/core/loginsight/var/runtime.log
[2021-04-14 15:09:23.682+0000] ["Thread-5231777"/10.1.207.122 ERROR] [com.vmware.loginsight.ingestion.syslog.SyslogEventHandler] [Syslog ssltcp exception by
esxi.domain.local from port 37593]
javax.net.ssl.SSLException: readHandshakeRecord
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1117)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:398)
at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:726)
at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:72)
at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:809)
at sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:768)
at org.productivity.java.syslog4j.server.impl.net.tcp.SyslogMessageReader.nextOctetMessage(SyslogMessageReader.java:91)
at org.productivity.java.syslog4j.server.impl.net.tcp.SyslogMessageReader.nextMessage(SyslogMessageReader.java:182)
Filename: /var/log/.vmsyslogd.err:
2021-07-22T07:09:47.840Z vmsyslog : CRITICAL] vmsyslogd daemon starting (2097817)
2021-07-22T07:10:29.862Z vmsyslog.main : ERROR ] switching to normal mode from init mode
2021-07-22T07:10:29.925Z vmsyslog.loggers.network : ERROR ] SSL certificate verification failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1108)
2021-07-22T07:10:29.925Z vmsyslog.loggers.network : ERROR ] failed to establish connection to remote syslog server OpsForLogs.domain.local:1514
<OpsForLogsFQDN>
:openssl s_client -connect <OpsForLogsFQDN>:1514 -showcerts 2>&1 < /dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
NOTE: The previous command will generate a number of .pem files depending on the configuration of the cert presented by Aria Ops for Logs, for example: cert1.pem
, cert2.pem
, etc.openssl x509 -in cert1.pem -text
NOTE: The Issuer:
and Subject:
fields will be the same for the valid CA certificate and the X509v3 extensions:
will contain CA:TRUE
/etc/vmware/ssl/
directory, using the following command as an example, replacing <n>
:cp cert<n>.pem /etc/vmware/ssl/OpsForLogsCA.pem
esxcli system security certificatestore add -f /etc/vmware/ssl/OpsForLogsCA.pem
esxcli system syslog reload
It is possible to add the required CA cert to the ESXi hosts using the Add-VITrustedCertificate
for PowerCLI
For further information please see: Add-VITrustedCertificate