000014703 - RSA Security Analytics Log Collector shows 'Basic https handshake error' when attempting to pull events from Cisco IPS/IDS (SDEE Collection)

The Log Collector logs display errors similar to the following:

May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [failure] [sdee:WrkUnit[2]:10183] [logError:733] [ciscoids.XXXXXX] [processing] [XXXXXX] Basic https handshake error: short read
May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[2]:10183] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 0 SDEE events, Total duration 518 (ms), Connect 518 (ms), Event Processing 0 (ms), Publish 0 (ms), Data Response 0 (ms), Data Request 0 (ms), XML Parsing 0 (ms)

In order to resolve the issue, follow the steps below.

1. From the Security Analytics UI, navigate to Administration -> Devices.
2. Select the Log Collector device and click on View -> Config.
3. Click on the Event Source tab.
4. Select ciscoids in the left pane, where you will be able to edit the event source in the right pane.
5. Click on Advanced.
6. Change the SSL Version from TLS1 to SSLv3.

You should now be able to collect logs successfully and see the following message in the logs:

 May 28 15:04:16 YYYYYY nw[10144]: [Engine] [audit] User admin (session 471246, 127.0.0.1:54570) has changed /logcollection/sdee/eventsources/ciscoids/TIPRJRL1/ssl_version from "tlsv1" to "sslv3" May 28 15:04:33 YYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[1]:10182] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 500 SDEE events, Total duration 2122 (ms), Connect 49 (ms), Event Processing 55 (ms), Publish 55 (ms), Data Response 1928 (ms), Data Request 6 (ms), XML Parsing 26 (ms)