NDR SIEM Integration fails with SSL verification error causing NDR-SIEM-Sender pod CrashLoopBackOff
search cancel

NDR SIEM Integration fails with SSL verification error causing NDR-SIEM-Sender pod CrashLoopBackOff

book

Article ID: 438473

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

After configuring SIEM integration for Network Detection and Response (NDR) using Aria Operations for Logs as the endpoint, the NDR service becomes unstable.

The NDR-SIEM-Sender pod continuously crashes and enters a CrashLoopBackOff state approximately every 7–8 minutes.

The pod logs show repeated SSL errors similar to:

 

2026-04-15 16:03:14,225 - nsx_ndr_service.siem.siem_sender - ERROR - Failed to send SIEM event notification: HTTPSConnectionPool(host='<vAria ops log server fqdn>', port=9543): Max retries exceeded with url: /api/v2/events (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))2026-04-15 16:03:46,269 - nsx_ndr_service.siem.siem_sender - ERROR - Failed to send SIEM event notification: HTTPSConnectionPool(host='<vAria ops log server fqdn>', port=9543): Max retries exceeded with url: /api/v2/events (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)')))2026-04-15 16:04:50,315 - nsx_ndr_service.siem.siem_sender - ERROR - Failed to send SIEM event notification: HTTPSConnectionPool(host='<vAria ops log server fqdn>', port=9543): Max retries exceeded with url: /api/v2/events (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))

 

Due to this issue, NDR fails to consistently forward events to the configured SIEM endpoint.


Environment

SSP 5.0 and above

Cause

This issue occurs due to SSL certificate validation failure between NDR and the SIEM endpoint.

  • The SIEM server is configured with a self-signed or internally signed certificate
  • Such certificates are not trusted by default by NDR
  • SSL handshake fails during event transmission
  • The NDR-SIEM-Sender pod retries repeatedly and eventually enters CrashLoopBackOff

As per product design, certificate validation is enforced, and untrusted certificates result in connection failure.

Resolution

Workaround

Disable SSL certificate verification in the SIEM configuration.

This allows the NDR-SIEM-Sender pod to successfully send events
However, this approach reduces security and is not recommended for production environments

 

Reference document- 

 

Configure SIEM Integration

 

 

Powered by Wolken Software