000038224 - File collection fails to start with "Operation not permitted" error on an RSA NetWitness Platform Log Collector

Document created by RSA Customer Support Employee on Dec 20, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038224
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Local Log Collector, Remote Log Collector
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
IssueWhen you try to start File collection method on a Log Collector, it fails and you observe the following error message in the logs:

NwLogCollector[775]: [FileCollection] [failure] Failed to start collection: Operation not permitted src: /home/upload/.ssh/authorized_keys tgt: /home/upload/.ssh/authorized_keys.bak

ResolutionThis issue is likely due to the immutable attribute being set on the authorized_keys file in /home/upload/.ssh on the Log Collector.
You can verify this by running the lsattr command. If you see the 'i' flag in the output, it means the immutable attribute has been set:

[root@nwlogcollector ~]# lsattr /home/upload/.ssh/authorized_keys  
----i----------- /home/upload/.ssh/authorized_keys     <========== immutable attribute set

To resolve this, you will need to remove/unset the attribute using the chattr -i command:

chattr -i /home/upload/.ssh/authorized_keys

Verify that the flag has indeed been removed:

[root@nwlogcollector ~]# lsattr /home/upload/.ssh/authorized_keys  
---------------- /home/upload/.ssh/authorized_keys     <========== immutable attribute removed

You should now be able to start the File collection.

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.