000014703 - RSA Security Analytics Log Collector shows 'Basic https handshake error' when attempting to pull events from Cisco IPS/IDS (SDEE Collection)

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 30, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000014703
Applies To
 RSA Product Set: NetWitness Logs & Network
   RSA Product/Service Type: Log Collector
   RSA Version/Condition: 11.x, 10.6.x
   Platform: Linux
IssueRSA Security Analytics Log Collector shows "Basic https handshake error" when attempting to pull events from Cisco IPS/IDS (SDEE Collection).

The Log Collector logs display errors similar to the following:

May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [failure] [sdee:WrkUnit[2]:10183] [logError:733] [ciscoids.XXXXXX] [processing] [XXXXXX] Basic https handshake error: short read
May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[2]:10183] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 0 SDEE events, Total duration 518 (ms), Connect 518 (ms), Event Processing 0 (ms), Publish 0 (ms), Data Response 0 (ms), Data Request 0 (ms), XML Parsing 0 (ms)

CauseThe default SSL protocol version in the Log Collector Event Source setting is TLSv1. Some Cisco IPS/IDS devices do not support TLSv1 but only SSLv3.

In order to resolve the issue, follow the steps below.

  1. From the Security Analytics UI, navigate to Administration -> Devices.
  2. Select the Log Collector device and click on View -> Config.
  3. Click on the Event Source tab.
  4. Select the SDEE option in the drop-down on the left upper 
  5. Select ciscoids in the left pane, where you will be able to edit the event source in the right pane.
  6. Click on Advanced.
  7. Change the SSL Version from TLS1 to SSLv3.

You should now be able to collect logs successfully and see the following message in the logs:


May 28 15:04:16 YYYYYY nw[10144]: [Engine] [audit] User admin (session 471246, has changed /logcollection/sdee/eventsources/ciscoids/TIPRJRL1/ssl_version from "tlsv1" to "sslv3" May 28 15:04:33 YYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[1]:10182] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 500 SDEE events, Total duration 2122 (ms), Connect 49 (ms), Event Processing 55 (ms), Publish 55 (ms), Data Response 1928 (ms), Data Request 6 (ms), XML Parsing 26 (ms)

NotesTechnically this issue applies to any scenario where the collection has different ssl or tls protocol needs and not just ciscoid's.
Legacy Article IDa65952