000034713 - Configuring Remote Log Collector for SCP Protocol usage on RSA NetWitness Log & Network 10.6.x

Document created by RSA Customer Support Employee on Apr 17, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034713
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector, Remote Collector
RSA Version: 10.6.x
IssueOn Log Collectors for RSA NetWitness Log & Network 10.6.x, the SELinux environment prevents the SCP protocol from working with the default configuration.

Log Collector versions 10.6.2 and later

The Log Collector configures SELinux to run Enforcing mode. This is required for the plugin collection protocol. If you have AWS Cloudtrail or Microsoft Azure event sources on a Log Collector, SELinux must remain in Enforcing mode.
The recommendation is to use a separate VLC for the File collection event sources using SCP. On this VLC, disable SELinux as mentioned below for Log Collector 10.6.0 and Later. This step MUST be performed whenever the Log Collector RPM is updated on this VLC.

Log Collector versions 10.6.0 and later

By default, SELinux runs in Permissive mode. Disabling SELinux resolves the problem.

To configure RSA version 10.6.0 and 10.6.1 Log Collectors

  1. Log into the Log Collector appliance.
  2. Edit the /etc/selinux/config file.
  3. Change the line from SELINUX=permissive or SELINUX=enforcing to:


  1. Save the file.
  2. Reboot the system.
  3. Confirm that SELinux is disabled by running the command sestatus. The command should return the following text:

SELinux status: disabled