After upgrading SpanVA to 1.15.3.153.0-19rc some clients may experience logs not being sent from their data source to SpanVA
Audit Engineering enhanced security by removing several old keys including ssh_host_rsa_key, ssh_host_ecdsa_key in SpanVA version 1.15.3.153.0-19rc
If your data source is using ssh_host_rsa_key or ssh_host_ecdsa_key to send logs to SpanVA version 1.15.3.153.0-19rc and failing:
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/symantec-cloudsoc/cloud/cloudsoc-spanva/spanva-tasks/enforce-ciphers.html
The RhostsRSAAuthentication option was used in SSH (Secure Shell) to control a specific type of authentication mechanism.
This option has been deprecated and removed in SpanVA 1.15.3.153.0-19rc due to security concerns. It has been replaced with a more secure ed25519 host-key.
Devices which are using SSH to send logs to SpanVa may need to re-authenticate in order to obtain (fetch) the newest [ed25519] host key from the SpanVA.
If editing the existing SSH connection inside the Data Source to SpanVA doesn't work:
1. Save the existing keys and all fields from the existing SSH connection to notepad.
2. Delete the old SSH to SpanVA connection from within the Proxy, ASG, FW, or other data source.
3. Create a new connection to SpanVA using the same IP address you saved to notepad, Port (22), configs, U/N, Path, etc.
4. Obtain (fetch) the newest [ed25519] host key from SpanVA and Save the new connection.
5. Allow ~15 - 30 min for connection to sync up.65. Go to Data Source "Test connection" - click and confirm that Test Connection is successful
Note: It may take some time, for connection to sync up, even if everything was configured correctly
After a few minutes incoming logs start appearing again in SpanVA Monitoring tab.
After some hours logs are seen processing successfully in CloudSOC / Audit / Device Logs / Details option