How to Disable TLS 1.0 and 1.1 and enforce TLSv1.2 in in EventLog Analyzer
Objective
EventLog Analyzer offers predefined support for TLSv1, TLSv1.1 and TLSv1.2 by default to offer compatibility in connection. Disabling the deprecated protocols enhances security by ensuring that only secure transport layers (TLS 1.2 and above) are used for communication between the server and clients.
This article explains how to disable the TLS v1.0 and TLS v1.1 and update the ciphers in ManageEngine EventLog Analyzer and its Elasticsearch.
Prerequisites
- Administrator privileges to access EventLog Analyzer user interface.
- EventLog Analyzer version to be near to latest version or higher than End of Support Version.
Steps to follow
1. Log in to EventLog Analyzer user interface as administrator.
2. Navigate to Settings → Admin Settings → System Settings → Connection Settings.
3. Click Advanced drop down to view the TLS versions and ciphers used.
4. Click the list view of TLS to get the list of supported TLS versions. Disable checkbox for the TLS versions that you would like to disable(TLSv1 and TLSv1.1).
5. Upon disabling a TLS version, the system automatically eliminates ciphers not supported by the active TLS versions. You can also add the ciphers in the list (if required)
6. Click Save Settings to enforce enforce connections using TLS 1.2 or higher.
5. Restart the EventLog Analyzer for changes to take effect. Refer How to Start and Shutdown EventLog Analyzer
For Elasticsearch:
Step 1: Locate the wrapper.conf File
Based on the deployment, the file is present at one of the following paths:
For build below 13000,
- For Local ES installation path:
<Installation Directory>\<EventLog Analyzer>\ES\config\elasticsearch.yml
- For Common ES installation path:
<Installation Directory>\elasticsearch\ES\config\elasticsearch.yml
Some setup may use both the elastic-search nodes. ES directory location can be checked in System Diagnostics. Refer to image below
For build 13000 and above,
- For ES installation path:
<Installation Directory>\Log360\ES\config\elasticsearch.yml
The above path is applicable for both Primary installation and for log processors.
Step 2: Take the file back up.
- Copy the elasticsearch.yml file from the <Installation Directory>\Log360\ES\config\ folder and paste it in some other location to have the backup of the file.
Step 3: Modify the yml file:
Open the primary elasticsearch.yml file in a text editor with admin rights.
searchguard.ssl.transport.enabled_protocols: ["TLSv1.2"]
searchguard.ssl.transport.enabled_ciphers: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"]
(Refer Figure 2)
or
searchguard.ssl.transport.enabled_protocols:
- TLSv1.2
searchguard.ssl.transport.enabled_ciphers:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
(Refer Figure 3)
Figure 2
Figure 3
Step 3: Save and Restart Services
1. Save your changes.
2. Restart the EventLog Analyzer or Log360 service to take effect.
Tips
- Always ensure that EventLog Analyzer is in or near to latest version for optimal performance, security and to unlock new features & enhancements. Refer EventLog Analyzer - Service pack upgrade to check the available ppm version to upgrade.
- If older clients cannot connect after disabling TLS 1.0/1.1, upgrade them to support TLS 1.2 or higher.
- Review your organization’s security compliance policies (NIST, PCI DSS) to maintain protocol alignment.
- Elasticsearch's list of enabled TLS protocols, supported protocols with current JVM are TLSv1.1, TLSv1.2 and list of enabled TLS cipher suites, supported ciphers with JVM (1.8.0_282) are as follows
TLS_AES_128_GCM_SHA256,
TLS_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Related topics and articles
- Encryption standards of Log360 module
- Connection Settings
- SSL/TLS Settings for Elasticsearch
- Resolving Weak Diffie-Hellman Public Key Warning in Elasticsearch (ES)
New to ADSelfService Plus?
Related Articles
How to enforce HTTPS by applying an SSL certificate in EventLog Analyzer
Objective Learn how to enforce secure communication with EventLog Analyzer by configuring HTTPS. This is done by applying an SSL certificate and disabling HTTP access. HTTPS ensures encrypted data exchanges and aligns with security hardening best ...How to add F5 device in EventLog Analyzer
Objective EventLog Analyzer collects logs from F5 devices using the Syslog protocol. Syslog services has to be configured in F5 Devices to have the logs forwarded to EventLog Analyzer. This article offers you step by step instructions to add F5 ...Disk Space Alert: EventLog Analyzer Installation Drive Reaching Capacity Threshold
Issue description This document provides a technical overview, possible causes, recommended resolution steps, and best practices for handling the "Disk Space Alert: EventLog Analyzer Installation Drive Reaching Capacity Threshold" notification. This ...Troubleshooting guide: EventLog Analyzer UI is unresponsive
Overview This document outlines the common causes and recommended steps to resolve the issue when the EventLog Analyzer UI becomes unresponsive. Possible causes Insufficient system resources High CPU or memory usage on the server. Low disk space in ...How to Configure Google Authenticator as 2FA in EventLog Analyzer
Objective To guide users through the process of enabling and configuring Google Authenticator for Two-Factor Authentication (2FA) in EventLog Analyzer, enhancing account security. Prerequisite Access to EventLog Analyzer with administrative ...