|Applies To||RSA Product Set: NetWitness Logs & Network|
RSA Product/Service Type: Log Collector, Remote Collector
RSA Version: 10.6.x
|Issue||On Log Collectors for RSA NetWitness Log & Network 10.6.x, the SELinux environment prevents the SCP protocol from working with the default configuration.|
Log Collector versions 10.6.2 and later
The Log Collector configures SELinux to run Enforcing mode. This is required for the plugin collection protocol. If you have AWS Cloudtrail or Microsoft Azure event sources on a Log Collector, SELinux must remain in Enforcing mode.
The recommendation is to use a separate VLC for the File collection event sources using SCP. On this VLC, disable SELinux as mentioned below for Log Collector 10.6.0 and Later. This step MUST be performed whenever the Log Collector RPM is updated on this VLC.
Log Collector versions 10.6.0 and later
By default, SELinux runs in Permissive mode. Disabling SELinux resolves the problem.
To configure RSA version 10.6.0 and 10.6.1 Log Collectors