Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

TLS on syslog

Hi,
we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails.


This is only example, but ours handshake also fails at Change Cipher Spec.
We have checked it in Wireshark and both Sophos and Arcsight agreed on the cipher.

4 0.003000    192.168.1.100    93.184.216.34   TLSv1.2  229   Client Hello
5 0.005000    93.184.216.34    192.168.1.100   TLSv1.2  148   Server Hello
6 0.005500    93.184.216.34    192.168.1.100   TLSv1.2  1500 Certificate
7 0.006000    93.184.216.34    192.168.1.100   TLSv1.2  143   Server Key Exchange
8 0.006500    93.184.216.34    192.168.1.100   TLSv1.2  89     Server Hello Done
9 0.007000    192.168.1.100    93.184.216.34   TLSv1.2  110   Client Key Exchange
10 0.007500  192.168.1.100    93.184.216.34   TLSv1.2  66     Change Cipher Spec
11 0.008000   93.184.216.34   192.168.1.100   TLSv1.2  85      Encrypted Alert

What I have checked:
1) Sophos trust CA that sign Arcsight connector certificate.
2) Arcsight connector certificate have correct hostname in CN and SAN field.
3) Both Sophos and Arcsight support same cipher.
4) Communication on FW allowed.
5) Arcsight listening on syslog port
6) Sophos sending data to syslog port

How should I troubleshoot this issue ?
Thanks and regards



Added TAGs
[edited by: Raphael Alganes at 11:47 AM (GMT -7) on 7 Oct 2024]
Parents Reply
  • Hi, 

    I don't get the role of Default CA certificate (Default.pem) here.

    1) Specify the attributes and details of the default CA on Sophos Firewall.
    Why I need default CA. Sophos should trust CA that sign syslog-ng.crt.
    2) Copy the default and external CA certificates, the external certificate, and the external key to the syslog server.
    On the syslog server should by our CA in trust store and syslog-ng.crt and syslog-ng.key signed by our CA.


    In short: Our CA cert should be on both trust stores and syslog-ng using certificate signed by our CA. Then Sophos should verify syslog-ng server.

Children