TLS on syslog

Question

Hi, we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails. 
 This is only example, but ours handshake also fails at Change Cipher Spec. We have checked it in Wireshark and both Sophos and Arcsight agreed on the cipher. 
 4 0.003000 192.168.1.100 93.184.216.34 TLSv1.2 229 Client Hello 5 0.005000 93.184.216.34 192.168.1.100 TLSv1.2 148 Server Hello 6 0.005500 93.184.216.34 192.168.1.100 TLSv1.2 1500 Certificate 7 0.006000 93.184.216.34 192.168.1.100 TLSv1.2 143 Server Key Exchange 8 0.006500 93.184.216.34 192.168.1.100 TLSv1.2 89 Server Hello Done 9 0.007000 192.168.1.100 93.184.216.34 TLSv1.2 110 Client Key Exchange 10 0.007500 192.168.1.100 93.184.216.34 TLSv1.2 66 Change Cipher Spec 11 0.008000 93.184.216.34 192.168.1.100 TLSv1.2 85 Encrypted Alert 
 What I have checked: 1) Sophos trust CA that sign Arcsight connector certificate. 2) Arcsight connector certificate have correct hostname in CN and SAN field. 3) Both Sophos and Arcsight support same cipher. 4) Communication on FW allowed. 5) Arcsight listening on syslog port 6) Sophos sending data to syslog port 
 How should I troubleshoot this issue ? Thanks and regards

Mayur Makvana · Answer

Hello, 
 Kindly review configuration parameters using below KBA: 
 https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/LogsConfigureSecureSyslogServerWithExternalCertificate/index.html#introduction 
 If still an issue, you can review by capturing the packet capture on the Sophos.

TLS on syslog

Top Replies