VMware Cloud Community
eric_silberberg
Enthusiast
Enthusiast
‎12-13-2021 12:57 PM

Syslog inbound error-possible penetration test?

I have an inbound error: on OneOfMyNodes. But Syslog client xxxyyyzzz is one of the systems from our security group. 
It's a Tenable security scanner node. Any chance that it's probing LI and that is generating the following message?

I'm still waiting to hear back from them, but there is no reason that guest should be forwarding me log data unless by some totally thumbed IP address target.

This alert is about your Log Insight installation on OneOfMyNodes

SSL Certificate Error (Host = OneOfMyNodes) triggered at 2021-12-12T18:29:46.186Z

This notification was generated from Log Insight node (Host = OneOfMyNodes, Node Identifier = 183e6378-3473-lmnop-a715-77402501a8cd).

Syslog client xxxyyyzzz disconnected due to a SSL handshake problem. This may be a problem with the SSL Certificate or with the Network Time Service. In order for Log Insight to accept syslog messages over SSL, a certificate that is validated by the client is required and the clocks of the systems must be in sync.

Log messages from xxxyyyzzz are not being accepted, reconfigure that system to not use SSL or see Online Help for instructions on how to install a new SSL certificate .

This message was generated by your Log Insight installation, visit the Documentation Center for more information.

Reply
6 Replies
yotadude1
Enthusiast
Enthusiast
‎12-21-2021 06:09 AM

If the alert generates around the same time everyday/week the tenable nessus scanner is probably running a scheduled scan for vulnerabilities. I have seen this generated from tenable nessus active scans. I have not figured out a way to ignore the nessus scanner to avoid generating these alerts

Reply
0 Kudos
eric_silberberg
Enthusiast
Enthusiast
‎12-21-2021 07:45 AM

Our security team confirmed it is tenable scanning on an encrypted connection. solved

Reply
0 Kudos
CorSKG
Contributor
Contributor
‎01-25-2022 02:52 AM

I'm running into the same issue.

how did you solve this? Did security updated their Certificate?

thanks for your time.

Reply
0 Kudos
mwidlar1
Contributor
Contributor
‎11-15-2022 05:56 AM

Has anyone found a way to block/ignore these messages generated from the scanning.  We get daily notification of these events.  Opened a ticket with VMware and they said there was no way to ignore an individual host object.

Tags (1)
Reply
0 Kudos
FredGSanford
Enthusiast
Enthusiast
‎12-09-2022 01:43 PM

Running 8.10, ran into this issue.  This resolved it:

Edit https://vrlicluster/internal/config

Add this under  <disabled-notifications>

<notification pattern="SSL Certificate Error .*.*" />

No service restart needed.

Reply
0 Kudos
FredGSanford
Enthusiast
Enthusiast
‎12-09-2022 01:48 PM

Depending on which version you're running, you'll have to tinker with the  <disabled-notifications> section in https://vrlicluster/internal/config

In 8.8.2, this blocked the alert:

<notification pattern="SSL Certificate Error" />

8.10

<notification pattern="SSL Certificate Error .*.*" />

 

Reply
0 Kudos