Cribl supports receiving Windows events via Windows Event Forwarding (WEF). One method of authentication is done by using client certificates and mutual TLS (mTLS). This article lists some common issues and troubleshooting tips for mTLS.
Common Issues:
- Make sure the Network Service has permission to access the Client Certificate; see the docs for more.
- The full Certificate Authority (CA) certificate chain should be installed in Cribl Stream.
- You can concatenate the Intermediate CA with the Root CA to add it to Stream; put the issuing CA cert on top.
- Check if an issuing CA thumbprint is being used, with no hidden or unexpected characters getting copied accidentally.
Errors and Potential Solutions:
Error: The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
(Found in Application and Services Logs -> Microsoft -> Windows -> Windows Remote Management -> Operational)
Potential Resolutions:
- Check that the proper port and HTTPS is specified to match the subscription manager configured in the Group Policy Object (GPO).
- Ensure the proper fully qualified domain name (FQDN) is being used.
- Validate that the Cribl Source is enabled and committed / deployed.
- Check for any additional errors.
Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
(Found in Application and Services Logs → Microsoft → Windows → CAPI2 → Operational; NOTE: if no CAPI2 logs are seen, you may need to enable them like in the below screenshot.
Potential Resolutions:
- Check the correct thumbprint is used in the GPO setting. Go to MMC → Add/Remove Snap-in → Add → OK.
- Get the thumbprint of the CA used to sign the Cribl WEF certificate and place it in the Thumbprint setting in the subscription manager (see below).
