Skip to content
  • There are no suggestions because the search field is empty.

Netwitness Platform Log Collector shows 'Basic https handshake error' when attempting to pull events from Cisco IPS/IDS (SDEE Collection)

Issue

RSA Security Analytics Log Collector shows "Basic https handshake error" when attempting to pull events from Cisco IPS/IDS (SDEE Collection).

The Log Collector logs display errors similar to the following:

May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [failure] [sdee:WrkUnit[2]:10183] [logError:733] [ciscoids.XXXXXX] [processing] [XXXXXX] Basic https handshake error: short read
May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[2]:10183] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 0 SDEE events, Total duration 518 (ms), Connect 518 (ms), Event Processing 0 (ms), Publish 0 (ms), Data Response 0 (ms), Data Request 0 (ms), XML Parsing 0 (ms)


Cause

The default SSL protocol version in the Log Collector Event Source setting is TLSv1. Some Cisco IPS/IDS devices do not support TLSv1 but only SSLv3.


Resolution

In order to resolve the issue, follow the steps below.

  1. From the Netwitness Platform UI, navigate to Administration -> Services.
  2. Select the Log Collector device and click on View -> Config.
  3. Click on the Event Source tab.
  4. Select the SDEE option in the drop-down on the left upper 
  5. Select ciscoids in the left pane, where you will be able to edit the event source in the right pane.
  6. Click on Advanced.
  7. Change the SSL Version from TLS1 to SSLv3.

You should now be able to collect logs successfully and see the following message in the logs:

 
May 28 15:04:16 YYYYYY nw[10144]: [Engine] [audit] User admin (session 471246, 127.0.0.1:54570) has changed /logcollection/sdee/eventsources/ciscoids/TIPRJRL1/ssl_version from "tlsv1" to "sslv3" May 28 15:04:33 YYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[1]:10182] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 500 SDEE events, Total duration 2122 (ms), Connect 49 (ms), Event Processing 55 (ms), Publish 55 (ms), Data Response 1928 (ms), Data Request 6 (ms), XML Parsing 26 (ms)

Notes

Technically this issue applies to any scenario where the collection has different ssl or tls protocol needs and not just ciscoid's.


Internal Comments



Product Details

  • Column 1:
  • Column 2: Netwitness Product Set: NetWitness Platform
    Netwitness Product/Service Type: Log Collector
    Netwitness Version/Condition: 11.x, 12.x or later 
    Platform: CentOS/Alma Linux


Summary

Handshake error related to tls/ssl mismatch with older cisco devices.


Approval Reviewer Queue

Technical approval queue