| ||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Log Collector
RSA Version/Condition: 11.x, 10.6.x
|Issue||RSA Security Analytics Log Collector shows "Basic https handshake error" when attempting to pull events from Cisco IPS/IDS (SDEE Collection).|
The Log Collector logs display errors similar to the following:
May 28 14:18:46 YYYYYYY nw: [SdeeCollection] [failure] [sdee:WrkUnit:10183] [logError:733] [ciscoids.XXXXXX] [processing] [XXXXXX] Basic https handshake error: short read
May 28 14:18:46 YYYYYYY nw: [SdeeCollection] [info] [sdee:WrkUnit:10183] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 0 SDEE events, Total duration 518 (ms), Connect 518 (ms), Event Processing 0 (ms), Publish 0 (ms), Data Response 0 (ms), Data Request 0 (ms), XML Parsing 0 (ms)
|Cause||The default SSL protocol version in the Log Collector Event Source setting is TLSv1. Some Cisco IPS/IDS devices do not support TLSv1 but only SSLv3.|
In order to resolve the issue, follow the steps below.
- From the Security Analytics UI, navigate to Administration -> Devices.
- Select the Log Collector device and click on View -> Config.
- Click on the Event Source tab.
- Select the SDEE option in the drop-down on the left upper
- Select ciscoids in the left pane, where you will be able to edit the event source in the right pane.
- Click on Advanced.
- Change the SSL Version from TLS1 to SSLv3.
You should now be able to collect logs successfully and see the following message in the logs:
May 28 15:04:16 YYYYYY nw: [Engine] [audit] User admin (session 471246, 127.0.0.1:54570) has changed /logcollection/sdee/eventsources/ciscoids/TIPRJRL1/ssl_version from "tlsv1" to "sslv3" May 28 15:04:33 YYYYYY nw: [SdeeCollection] [info] [sdee:WrkUnit:10182] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 500 SDEE events, Total duration 2122 (ms), Connect 49 (ms), Event Processing 55 (ms), Publish 55 (ms), Data Response 1928 (ms), Data Request 6 (ms), XML Parsing 26 (ms)
|Notes||Technically this issue applies to any scenario where the collection has different ssl or tls protocol needs and not just ciscoid's.|
|Legacy Article ID||a65952|