eric_silberberg
Enthusiast
Enthusiast

Syslog inbound error-possible penetration test?

I have an inbound error: on OneOfMyNodes. But Syslog client xxxyyyzzz is one of the systems from our security group. 
It's a Tenable security scanner node. Any chance that it's probing LI and that is generating the following message?

I'm still waiting to hear back from them, but there is no reason that guest should be forwarding me log data unless by some totally thumbed IP address target.

This alert is about your Log Insight installation on OneOfMyNodes

SSL Certificate Error (Host = OneOfMyNodes) triggered at 2021-12-12T18:29:46.186Z

This notification was generated from Log Insight node (Host = OneOfMyNodes, Node Identifier = 183e6378-3473-lmnop-a715-77402501a8cd).

Syslog client xxxyyyzzz disconnected due to a SSL handshake problem. This may be a problem with the SSL Certificate or with the Network Time Service. In order for Log Insight to accept syslog messages over SSL, a certificate that is validated by the client is required and the clocks of the systems must be in sync.

Log messages from xxxyyyzzz are not being accepted, reconfigure that system to not use SSL or see Online Help for instructions on how to install a new SSL certificate .

This message was generated by your Log Insight installation, visit the Documentation Center for more information.