<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Syslog inbound error-possible penetration test? in VMware Aria Operations for Logs Discussions</title>
    <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2884626#M2756</link>
    <description>&lt;P&gt;If the alert generates around the same time everyday/week the tenable nessus scanner is probably running a scheduled scan for vulnerabilities. I have seen this generated from tenable nessus active scans. I have not figured out a way to ignore the nessus scanner to avoid generating these alerts&lt;/P&gt;</description>
    <pubDate>Tue, 21 Dec 2021 14:09:10 GMT</pubDate>
    <dc:creator>yotadude1</dc:creator>
    <dc:date>2021-12-21T14:09:10Z</dc:date>
    <item>
      <title>Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2883161#M2752</link>
      <description>&lt;P&gt;I have an inbound error: on&amp;nbsp;&lt;SPAN&gt;OneOfMyNodes. But&amp;nbsp;Syslog client&amp;nbsp;xxxyyyzzz is one of the systems from our security group.&amp;nbsp;&lt;BR /&gt;It's a Tenable security scanner node. Any chance that it's probing LI and that is generating the following message?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;I'm still waiting to hear back from them, but there is no reason that guest should be forwarding me log data unless by some totally thumbed IP address target.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;This alert is about your Log Insight installation on OneOfMyNodes&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;SSL Certificate Error (Host = OneOfMyNodes) triggered at 2021-12-12T18:29:46.186Z&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;This notification was generated from Log Insight node (Host = OneOfMyNodes, Node Identifier = 183e6378-3473-lmnop-a715-&lt;/SPAN&gt;&lt;SPAN&gt;77402501a8cd).&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;Syslog client&amp;nbsp;xxxyyyzzz&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;disconnected due to a SSL handshake problem. This may be a problem with the SSL Certificate or with the Network Time Service. In order for Log Insight to accept syslog messages over SSL, a certificate that is validated by the client is required and the clocks of the systems must be in sync.&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;Log messages from xxxyyyzzz&lt;/SPAN&gt;&lt;SPAN&gt;&amp;nbsp;are not being accepted, reconfigure that system to not use SSL or see&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.vmware.com/support/pubs/log-insight-pubs.html" target="_blank" rel="noopener"&gt;Online Help&lt;/A&gt;&lt;SPAN&gt;&amp;nbsp;for instructions on how to install a new SSL certificate .&lt;/SPAN&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;This message was generated by your Log Insight installation, visit the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://www.vmware.com/support/pubs/log-insight-pubs.html" target="_blank" rel="noopener"&gt;Documentation Center&lt;/A&gt;&lt;SPAN&gt;&amp;nbsp;for more information.&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 13 Dec 2021 20:57:50 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2883161#M2752</guid>
      <dc:creator>eric_silberberg</dc:creator>
      <dc:date>2021-12-13T20:57:50Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2884626#M2756</link>
      <description>&lt;P&gt;If the alert generates around the same time everyday/week the tenable nessus scanner is probably running a scheduled scan for vulnerabilities. I have seen this generated from tenable nessus active scans. I have not figured out a way to ignore the nessus scanner to avoid generating these alerts&lt;/P&gt;</description>
      <pubDate>Tue, 21 Dec 2021 14:09:10 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2884626#M2756</guid>
      <dc:creator>yotadude1</dc:creator>
      <dc:date>2021-12-21T14:09:10Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2884654#M2757</link>
      <description>&lt;P&gt;Our security team confirmed it is tenable scanning on an encrypted connection. solved&lt;/P&gt;</description>
      <pubDate>Tue, 21 Dec 2021 15:45:56 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2884654#M2757</guid>
      <dc:creator>eric_silberberg</dc:creator>
      <dc:date>2021-12-21T15:45:56Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2890000#M2763</link>
      <description>&lt;P&gt;I'm running into the same issue.&lt;/P&gt;&lt;P&gt;how did you solve this? Did security updated their Certificate?&lt;/P&gt;&lt;P&gt;thanks for your time.&lt;/P&gt;</description>
      <pubDate>Tue, 25 Jan 2022 10:52:04 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2890000#M2763</guid>
      <dc:creator>CorSKG</dc:creator>
      <dc:date>2022-01-25T10:52:04Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2938376#M2818</link>
      <description>&lt;P&gt;Has anyone found a way to block/ignore these messages generated from the scanning.&amp;nbsp; We get daily notification of these events.&amp;nbsp; Opened a ticket with VMware and they said there was no way to ignore an individual host object.&lt;/P&gt;</description>
      <pubDate>Tue, 15 Nov 2022 13:56:46 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2938376#M2818</guid>
      <dc:creator>mwidlar1</dc:creator>
      <dc:date>2022-11-15T13:56:46Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2943146#M2823</link>
      <description>&lt;P&gt;Running 8.10, ran into this issue.&amp;nbsp; This resolved it:&lt;/P&gt;&lt;P&gt;Edit &lt;A href="https://vrlicluster/internal/config" target="_blank"&gt;https://vrlicluster/internal/config&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Add this under&amp;nbsp; &amp;lt;disabled-notifications&amp;gt;&lt;/P&gt;&lt;P&gt;&amp;lt;notification pattern="SSL Certificate Error .*.*" /&amp;gt;&lt;/P&gt;&lt;P&gt;No service restart needed.&lt;/P&gt;</description>
      <pubDate>Fri, 09 Dec 2022 21:43:02 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2943146#M2823</guid>
      <dc:creator>FredGSanford</dc:creator>
      <dc:date>2022-12-09T21:43:02Z</dc:date>
    </item>
    <item>
      <title>Re: Syslog inbound error-possible penetration test?</title>
      <link>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2943147#M2824</link>
      <description>&lt;P&gt;Depending on which version you're running, you'll have to tinker with the&amp;nbsp; &amp;lt;disabled-notifications&amp;gt; section in &lt;A href="https://vrlicluster/internal/config" target="_blank"&gt;https://vrlicluster/internal/config&lt;/A&gt;&lt;/P&gt;&lt;P&gt;In 8.8.2, this blocked the alert:&lt;/P&gt;&lt;P&gt;&amp;lt;notification pattern="SSL Certificate Error" /&amp;gt;&lt;/P&gt;&lt;P&gt;8.10&lt;/P&gt;&lt;P&gt;&amp;lt;notification pattern="SSL Certificate Error .*.*" /&amp;gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 09 Dec 2022 21:48:52 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/VMware-Aria-Operations-for-Logs/Syslog-inbound-error-possible-penetration-test/m-p/2943147#M2824</guid>
      <dc:creator>FredGSanford</dc:creator>
      <dc:date>2022-12-09T21:48:52Z</dc:date>
    </item>
  </channel>
</rss>

