This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Netwitness Platform Log Collector shows 'Basic https handshake error' when attempting to pull events from Cisco IPS/IDS (SDEE Collection)

Article Number

000001647

Applies To

 Netwitness Product Set: NetWitness Platform
Netwitness Product/Service Type: Log Collector
Netwitness Version/Condition: 11.x, 12.x or later 
Platform: CentOS/Alma Linux

Issue

RSA Security Analytics Log Collector shows "Basic https handshake error" when attempting to pull events from Cisco IPS/IDS (SDEE Collection).

The Log Collector logs display errors similar to the following:

May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [failure] [sdee:WrkUnit[2]:10183] [logError:733] [ciscoids.XXXXXX] [processing] [XXXXXX] Basic https handshake error: short read
May 28 14:18:46 YYYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[2]:10183] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 0 SDEE events, Total duration 518 (ms), Connect 518 (ms), Event Processing 0 (ms), Publish 0 (ms), Data Response 0 (ms), Data Request 0 (ms), XML Parsing 0 (ms)

Cause

The default SSL protocol version in the Log Collector Event Source setting is TLSv1. Some Cisco IPS/IDS devices do not support TLSv1 but only SSLv3.

Resolution

In order to resolve the issue, follow the steps below.

  1. From the Netwitness Platform UI, navigate to Administration -> Services.
  2. Select the Log Collector device and click on View -> Config.
  3. Click on the Event Source tab.
  4. Select the SDEE option in the drop-down on the left upper 
  5. Select ciscoids in the left pane, where you will be able to edit the event source in the right pane.
  6. Click on Advanced.
  7. Change the SSL Version from TLS1 to SSLv3.

You should now be able to collect logs successfully and see the following message in the logs:

  
 May 28 15:04:16 YYYYYY nw[10144]: [Engine] [audit] User admin (session 471246, 127.0.0.1:54570) has changed /logcollection/sdee/eventsources/ciscoids/TIPRJRL1/ssl_version from "tlsv1" to "sslv3" May 28 15:04:33 YYYYYY nw[10144]: [SdeeCollection] [info] [sdee:WrkUnit[1]:10182] [doWork:217] [ciscoids.XXXXXX] [processing] [XXXXXX] Published 500 SDEE events, Total duration 2122 (ms), Connect 49 (ms), Event Processing 55 (ms), Publish 55 (ms), Data Response 1928 (ms), Data Request 6 (ms), XML Parsing 26 (ms)

Notes

Technically this issue applies to any scenario where the collection has different ssl or tls protocol needs and not just ciscoid's.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2024-07-31 06:06 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.