Events are being triggered in the NSX NDR component, but the CRIBL SIEM endpoint is not receiving any data.

"nsx-ndr-worker-siem-notification-sender" POD goes into crashloopback

NAPP Version 4.2.x

The issue appears to be related to SSL/TLS misconfigurations, leading to the inability of the NDR component to communicate properly with the CRIBL SIEM endpoint. The following error was observed in the SIEM logs:

stderr F nsx_ndr_service.siem.errors.FailedToSendSiemNotification: An SSL error has occurred: HTTPSConnectionPool(host='xxx.xxx.xxx', port=10070): Max retries exceeded with url: /cribl/_bulk (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1131)')))

This suggests that the issue is related to incompatible SSL/TLS versions between the NAPP NDR component and CRIBL SIEM.

NOTE : If the SIEM pod is unable to deliver the SIEM notification, it will eventually crash. This is by design

Please work with CRIBL support for further assistance.

Delete and recreate the NDR pods to resolve intermittent issues.

Please refer to their documentation on common errors and troubleshooting for additional guidance:

https://docs.cribl.io/stream/common-errors/

This can also be validated on the CRIBL side :

To investigate, you can use the following OpenSSL commands to check the accepted SSL/TLS versions on the server:

openssl s_client -connect www.cribl_server_url:cribl_server_port -tls1_3
openssl s_client -connect www.cribl_server_url:cribl_server_port -tls1_2
openssl s_client -connect www.cribl_server_url:cribl_server_port -tls1_1
openssl s_client -connect www.cribl_server_url:cribl_server_port -tls1

These commands help confirm the supported TLS versions on the CRIBL SIEM server.