cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

registering SYSLOG server and test connection does not succeed

registering a new SYSLOG server, with ENABLE EVENT FORWARDING checked TEST CONNECTION does not succeed, only shows 3 dots (...) -TELNETs work (telnet IP port) -there is no firewall between the two hosts -EVENT PARSER log seems to recognize and load the new server/port information -SIEM seems to be receiving WINDOWS events/logs -SIEM does not seem to be receiving ePO events/logs Question - any ideas on how to troubleshoot what the 3 dots, or lack to TEST SUCCESSFUL message means? Question - in the CONFIGURATION->SERVER SETTINGS->EVENT FILTERING - there is a column heading, STORE IN SIEM. -do we need to, in addition to registering a SYSLOG server, do we also to provide SIEM information/details?
3 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: registering SYSLOG server and test connection does not succeed

The 3 dots indicate ssl handshake failure.  Please review KB91194 for tls requirements for epo and syslog.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: registering SYSLOG server and test connection does not succeed

updates / summary:
.
McAfee's cipher requirements are here:

https://kc.mcafee.com/corporate/index?page=content&id=KB91194&_ga=2.57392170.1899972280.1635523994-9...

.

RSA's cipher requirements are here:
https://community.rsa.com/t5/netwitness-platform-online/decoder-decrypt-incoming-packets/ta-p/572035...
.
There are entries on both lists, for example:
.
TLS_RSA_WITH_AES_256_GCM_SHA384
is on both lists, and is FIPS compliant

.

so, next step is to investigate the keys/PEM files

.

unless you have any ideas

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: registering SYSLOG server and test connection does not succeed

Run nmap against the syslog server on the syslog port.  That will tell you if the syslog server itself has the proper ciphers and tls protocols enabled.

https://kc.mcafee.com/corporate/index?page=content&id=KB91115

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community