Hi,
we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails.
This is only example, but ours handshake also fails at Change Cipher Spec.
We have checked it in Wireshark and both Sophos and Arcsight agreed on the cipher.
4 0.003000 192.168.1.100 93.184.216.34 TLSv1.2 229 Client Hello
5 0.005000 93.184.216.34 192.168.1.100 TLSv1.2 148 Server Hello
6 0.005500 93.184.216.34 192.168.1.100 TLSv1.2 1500 Certificate
7 0.006000 93.184.216.34 192.168.1.100 TLSv1.2 143 Server Key Exchange
8 0.006500 93.184.216.34 192.168.1.100 TLSv1.2 89 Server Hello Done
9 0.007000 192.168.1.100 93.184.216.34 TLSv1.2 110 Client Key Exchange
10 0.007500 192.168.1.100 93.184.216.34 TLSv1.2 66 Change Cipher Spec
11 0.008000 93.184.216.34 192.168.1.100 TLSv1.2 85 Encrypted Alert
What I have checked:
1) Sophos trust CA that sign Arcsight connector certificate.
2) Arcsight connector certificate have correct hostname in CN and SAN field.
3) Both Sophos and Arcsight support same cipher.
4) Communication on FW allowed.
5) Arcsight listening on syslog port
6) Sophos sending data to syslog port
How should I troubleshoot this issue ?
Thanks and regards
Added TAGs
[edited by: Raphael Alganes at 11:47 AM (GMT -7) on 7 Oct 2024]