eric_silberberg
Contributor
Contributor

Syslog inbound error-possible penetration test?

I have an inbound error: on OneOfMyNodes. But Syslog client xxxyyyzzz is one of the systems from our security group. 
It's a Tenable security scanner node. Any chance that it's probing LI and that is generating the following message?

I'm still waiting to hear back from them, but there is no reason that guest should be forwarding me log data unless by some totally thumbed IP address target.

This alert is about your Log Insight installation on OneOfMyNodes

SSL Certificate Error (Host = OneOfMyNodes) triggered at 2021-12-12T18:29:46.186Z

This notification was generated from Log Insight node (Host = OneOfMyNodes, Node Identifier = 183e6378-3473-lmnop-a715-77402501a8cd).

Syslog client xxxyyyzzz disconnected due to a SSL handshake problem. This may be a problem with the SSL Certificate or with the Network Time Service. In order for Log Insight to accept syslog messages over SSL, a certificate that is validated by the client is required and the clocks of the systems must be in sync.

Log messages from xxxyyyzzz are not being accepted, reconfigure that system to not use SSL or see Online Help for instructions on how to install a new SSL certificate .

This message was generated by your Log Insight installation, visit the Documentation Center for more information.

3 Replies
yotadude1
Contributor
Contributor

If the alert generates around the same time everyday/week the tenable nessus scanner is probably running a scheduled scan for vulnerabilities. I have seen this generated from tenable nessus active scans. I have not figured out a way to ignore the nessus scanner to avoid generating these alerts

0 Kudos
eric_silberberg
Contributor
Contributor

Our security team confirmed it is tenable scanning on an encrypted connection. solved

0 Kudos
CorSKG
Contributor
Contributor

I'm running into the same issue.

how did you solve this? Did security updated their Certificate?

thanks for your time.

0 Kudos