000037963 - Windows server SFTP collection is not persistent for RSA NetWitness Platform Collector

Document created by RSA Customer Support Employee on Oct 24, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037963
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Product Name: Windows Server
IssueWindows SFTP collection configured using SFTP Document. However, SFTP Collection frequently stops. Manual restart of SFTP Agent service in the Windows server starts collection again.
CauseThis issue is due to key caching mismatch with the user account.
ResolutionPlease follow the below steps for SFTP collection persistence.

1. Please login to the Windows Server using the user account which was used to run the SFTP Agent Service.
2. Open the command prompt and run the following command from the C:\sasftpagent directory:

psftp -i private.ppk -l sftp -v log_collector_IP_address

      private.ppk is the file containing the private key
      log_collector_IP_address is the IP address of the Log Collector

4. The system displays a prompt and some choices.
5. After the prompt, you can enter any of the following options:
    - g: Global. If you enter 'g', the fingerprint is installed in the system environment, which is visible to all users.
           Note: that if you enter the global value, you do not need to run the SFTP service as the user that installed the agent: any user can run the SFTP service.
     - l: (lower case L) Local. If you enter 'l', the fingerprint is stored in the HKEY_LOCAL_USER registry hive, visible only to the currently logged-in user (and Administrators).
     - n: Cancel. Cancels the registration procedure.
5. At the psftp prompt, type quit, and press ENTER
6. Start the SFTP Agent Service from Windows Services Control Panel

a. Type services.msc on the command line
b.Start the SA SFTP Agent service