I have an inbound error: on OneOfMyNodes. But Syslog client xxxyyyzzz is one of the systems from our security group.
It's a Tenable security scanner node. Any chance that it's probing LI and that is generating the following message?
I'm still waiting to hear back from them, but there is no reason that guest should be forwarding me log data unless by some totally thumbed IP address target.
This alert is about your Log Insight installation on OneOfMyNodes
SSL Certificate Error (Host = OneOfMyNodes) triggered at 2021-12-12T18:29:46.186Z
This notification was generated from Log Insight node (Host = OneOfMyNodes, Node Identifier = 183e6378-3473-lmnop-a715-77402501a8cd).
Syslog client xxxyyyzzz disconnected due to a SSL handshake problem. This may be a problem with the SSL Certificate or with the Network Time Service. In order for Log Insight to accept syslog messages over SSL, a certificate that is validated by the client is required and the clocks of the systems must be in sync.
Log messages from xxxyyyzzz are not being accepted, reconfigure that system to not use SSL or see Online Help for instructions on how to install a new SSL certificate .
This message was generated by your Log Insight installation, visit the Documentation Center for more information.
If the alert generates around the same time everyday/week the tenable nessus scanner is probably running a scheduled scan for vulnerabilities. I have seen this generated from tenable nessus active scans. I have not figured out a way to ignore the nessus scanner to avoid generating these alerts