The strict_cert_verify option in alertsyslogconfig ensures rigorous verification of the rsyslog server's certificate. When enabled, the connection is rejected if:
Any certificate in server’s complete certificate chain or leaf certificate is expired or it is found in the revocation list as per the configured PKI profile.
The CA certificate cannot be verified using the configured PKI profile.
The configured hostname does not match the server certificate hostname.
The server certificate lacks the server authentication purpose.
The CA certificate in the chain does not have CA attribute set to True. It should also have correct purpose with CRL and certificate sign.
Configure the alertsyslogconfig with strict_cert_verify as shown below using the Avi CLI:
[admin:alertstatic-ctlr]: > show alertsyslogconfig Pybot-Syslog-Cfg +-------------------------------+--------------------------------------+ | Field | Value | +-------------------------------+--------------------------------------+ | uuid | alertsyslogconfig-2d2432ca-35c6-40ad-| | | 8010-06b98105a35c | | name | Pybot-Syslog-Cfg | | syslog_servers[1] | | | syslog_server | 10.80.31.184 | | syslog_server_port | 10514 | | udp | False | | format | SYSLOG_LEGACY | | tls_enable | True | | ssl_key_and_certificate_ref | rslclient2 | | pkiprofile_ref | rslpki2 | | anon_auth | False | | strict_cert_verify | False | | tenant_ref | admin | +-------------------------------+--------------------------------------+ [admin:alertstatic-ctlr]: > [admin:alertstatic-ctlr]: > configure alertsyslogconfig Pybot-Syslog-Cfg Updating an existing object. Currently, the object is: +-------------------------------+---------------------------------------+ | Field | Value | +-------------------------------+---------------------------------------+ | uuid | alertsyslogconfig-2d2432ca-35c6-40ad- | | |8010-06b98105a35c | | name | Pybot-Syslog-Cfg | | syslog_servers[1] | | | syslog_server | 10.80.31.184 | | syslog_server_port | 10514 | | udp | False | | format | SYSLOG_LEGACY | | tls_enable | True | | ssl_key_and_certificate_ref | rslclient2 | | pkiprofile_ref | rslpki2 | | anon_auth | False | | strict_cert_verify | False | | tenant_ref | admin | +-------------------------------+---------------------------------------+ [admin:alertstatic-ctlr]: alertsyslogconfig> syslog_servers index 1 [admin:alertstatic-ctlr]: alertsyslogconfig:syslog_servers> strict_cert_verify Overwriting the previously entered value for strict_cert_verify [admin:alertstatic-ctlr]: alertsyslogconfig:syslog_servers> save [admin:alertstatic-ctlr]: alertsyslogconfig> save +-------------------------------+---------------------------------------+ | Field | Value | +-------------------------------+---------------------------------------+ | uuid | alertsyslogconfig-2d2432ca-35c6-40ad- | | |8010-06b98105a35c | | name | Pybot-Syslog-Cfg | | syslog_servers[1] | | | syslog_server | 10.80.31.184 | | syslog_server_port | 10514 | | udp | False | | format | SYSLOG_LEGACY | | tls_enable | True | | ssl_key_and_certificate_ref | rslclient2 | | pkiprofile_ref | rslpki2 | | anon_auth | False | | strict_cert_verify | True | | tenant_ref | admin | +-------------------------------+---------------------------------------+ [admin:alertstatic-ctlr]: >
