Article Number | 000014703 |
Applies To | | RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Log Collector RSA Version/Condition: 11.x, 10.6.x Platform: Linux |
|
Issue | RSA Security Analytics Log Collector shows "Basic https handshake error" when attempting to pull events from Cisco IPS/IDS (SDEE Collection).
The Log Collector logs display errors similar to the following:
May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [failure] [sdee:WrkUnit[2]:10183] [logError:733] [ciscoids.XXXXXX] [processing] [XXXXXX] Basic https handshake error: short read May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[2]:10183] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 0 SDEE events, Total duration 518 (ms), Connect 518 (ms), Event Processing 0 (ms), Publish 0 (ms), Data Response 0 (ms), Data Request 0 (ms), XML Parsing 0 (ms)
|
Cause | The default SSL protocol version in the Log Collector Event Source setting is TLSv1. Some Cisco IPS/IDS devices do not support TLSv1 but only SSLv3. |
Resolution | In order to resolve the issue, follow the steps below.
- From the Security Analytics UI, navigate to Administration -> Devices.
- Select the Log Collector device and click on View -> Config.
- Click on the Event Source tab.
- Select the SDEE option in the drop-down on the left upper
- Select ciscoids in the left pane, where you will be able to edit the event source in the right pane.
- Click on Advanced.
- Change the SSL Version from TLS1 to SSLv3.
You should now be able to collect logs successfully and see the following message in the logs:
May 28 15:04:16 YYYYYY nw[10144]: [Engine] [audit] User admin (session 471246, 127.0.0.1:54570) has changed /logcollection/sdee/eventsources/ciscoids/TIPRJRL1/ssl_version from "tlsv1" to "sslv3" May 28 15:04:33 YYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[1]:10182] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 500 SDEE events, Total duration 2122 (ms), Connect 49 (ms), Event Processing 55 (ms), Publish 55 (ms), Data Response 1928 (ms), Data Request 6 (ms), XML Parsing 26 (ms)
|
Notes | Technically this issue applies to any scenario where the collection has different ssl or tls protocol needs and not just ciscoid's. |
Legacy Article ID | a65952 |