SpanVA Audit " No New Data Alert" after upgrade to version 1.15.3.153.0-19rc
search cancel

SpanVA Audit " No New Data Alert" after upgrade to version 1.15.3.153.0-19rc

book

Article ID: 370711

calendar_today

Updated On:

Products

CASB Securlet SAAS CASB Advanced Threat Protection CASB Audit CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Advanced IAAS CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet IAAS

Issue/Introduction

After upgrading SpanVA to 1.15.3.153.0-19rc some clients may experience logs not being sent from their data source to SpanVA

Cause

Audit Engineering enhanced security by removing several old keys including ssh_host_rsa_key, ssh_host_ecdsa_key in SpanVA version 1.15.3.153.0-19rc

 

Resolution

If your data source is using ssh_host_rsa_key or ssh_host_ecdsa_key to send logs to SpanVA version 1.15.3.153.0-19rc and failing:

  1. Edit existing SSH to SpanVA connection to fetch new ssh_host_ed25519_key from SpanVA








  2. After successful Fetch from Server (SpanVA in this case.
  3. Click "Save" May need to wait 15 min or so for this connection to sync up.
  4. Test Connection - confirm that the SSH data source to SpanVA is now sending logs successfully.

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/cloudsoc-spanva/spanva-tasks/enforce-ciphers.html

Additional Information

The RhostsRSAAuthentication option was used in SSH (Secure Shell) to control a specific type of authentication mechanism. 

This option has been deprecated and removed in SpanVA 1.15.3.153.0-19rc due to security concerns. It has been replaced with a more secure ed25519 host-key. 

Devices which are using SSH to send logs to SpanVa may need to re-authenticate in order to obtain (fetch) the newest [ed25519] host key from the SpanVA.

 

If editing the existing SSH connection inside the Data Source to SpanVA doesn't work:

1. Save the existing keys and all fields from the existing SSH connection to notepad.

2. Delete the old SSH to SpanVA connection from within the Proxy, ASG, FW, or other data source.

3. Create a new connection to SpanVA using the same IP address you saved to notepad, Port (22), configs, U/N, Path, etc.

4. Obtain (fetch) the newest [ed25519] host key from SpanVA and Save the new connection.

5. Allow ~15 - 30 min for connection to sync up.6
5. Go to Data Source "Test connection" - click and confirm that Test Connection is successful

Note: It may take some time,  for connection to sync up, even if everything was configured correctly

After a few minutes incoming logs start appearing again in SpanVA Monitoring tab.

After some hours logs are seen processing successfully in CloudSOC / Audit / Device Logs / Details  option