Re: ESA stop sending Samples to ThreatGrid appliance

a ali · ‎08-25-2023

hello,

I have an on-prim threat Grid and I made integration between ESA and ThreatGrid, but now after checking the threat grid I do not find any sample sent from ESA,

How can I check this issue?

Ken Stieers · ‎08-25-2023

What does the AMP log say?
You may want to set it to Debug, and send something you know it will upload and see what's going in there.

a ali · ‎08-25-2023

how can I see the amp log and how do the debug

Ken Stieers · ‎08-25-2023

You can see the logs a couple of ways:
In the CLI via the grep command, which will let you search it, or tail it, or just show you the whole thing.
If you have FTP enabled on your ESAs, you connect to the ESA and download the logs.

You may be able to see what's going on at its current level, but if its not clear, you can turn the level up under System Administration/Log Subscriptions. Click on the log, set the level, submit/commit and then send mail with an attachment that should get uploaded.
Just remember to set it back when you're done.

a ali · ‎08-25-2023

thanks For your support , is there any command to check if there is any issue in certificate between ESA and threat Grid

saliyev · ‎10-01-2023

do you use self-signed cert on TG appliance or signed one by CA?
if self-signed on TG - add this cert into ESA's FA setting
if signed by CA - either add root cert to ESA's custom cert list and then identity cert into ESA's FA setting
or add cert chain into ESA's FA setting in pem format. Please be noted that chain order in pem file (---cert begin ..... ---cert end---) should be as follows: identity cert -> Intermediate cert -> root cert

btw, you can try to open TG GUI by CLEAN interface hostname and check certificate.

on ESA side you can use - tlsverify - CLI command.

other option, you can use openssl tool to check what certificate details TG appliance returns.