000039301 - Issues collecting logs via SFTP agent after Window Server upgrade in RSA NetWitness Platform

Document created by RSA Customer Support Employee on Sep 20, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039301
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.2
Platform: CentOS
O/S Version: 7
IssueAfter Windows Server upgrade from 2008 to 2016, the following errors are observed when collecting logs via the SFTP agent.

Logging @192.168.20.164 <6> %NIC-6-251036: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, Current working directory is: C:\sasftpagent
to socket 328Mon Aug 31 13:42:45 @192.168.20.164 <6> %NIC-6-251036: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, Current working directory is: C:\sasftpagent
Logging @192.168.20.164 <3> %NIC-3-251002: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, Error (13) opening file: C:\sasftpagent\1598848965_192.168.20.36_SSO_Port_Monitoring_HQSMS01.txt.gz
to socket 328Mon Aug 31 13:42:45 @192.168.20.164 <3> %NIC-3-251002: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, Error (13) opening file: C:\sasftpagent\1598848965_192.168.20.36_SSO_Port_Monitoring_HQSMS01.txt.gz
Logging @192.168.20.164 <7> %NIC-7-251021: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, 192.168.20.36:Adding directory C:\SSO_LOG\ to socket 328Mon Aug 31 13:42:45 @192.168.20.164 <7> %NIC-7-251021: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, 192.168.20.36:Adding directory C:\SSO_LOG\Logging @192.168.20.164 <7> %NIC-7-251021: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 5780: Host 192.168.20.36, 192.168.20.36:POS file does not exist

Before the OS upgrade, all the configurations are backed up such as sftpagent.conf, private.ppk, and public key in Windows Server 2008.
After OS upgrade, copied back to Windows Server 2016 and there is no issue on SFTP connection between Windows Server and log collector as shown below.

C:\sasftpagent>psftp -i private.ppk -l sftp -v 192.168.20.164
Connecting to 192.168.20.164 port 22
We claim version: SSH-2.0-PuTTY_Release_0.70
Server version: SSH-2.0-OpenSSH_7.4
Using SSH protocol version 2
Doing ECDH key exchange with curve nistp256 and hash SHA-256
Server also has ssh-rsa host key, but we don't know it
Host key fingerprint is:
ecdsa-sha2-nistp256 256 83:bf:e4:24:b2:94:4f:f2:e1:57:43:5d:25:11:4b:35
Could not read fingerprint from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\SSHK-192.168.20.164
Host key was not located in the environment, trying registry...
Host key matched what was in registry
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA-256 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA-256 server->client MAC algorithm
Reading key file "private.ppk"
Using username "sftp".
Offered public key
Offer of public key accepted
Authenticating with public key "rsa-key-20200825"
Sent public key signature
Access granted
Opening session as main channel
Opened main channel
Started a shell/command
Connected to 192.168.20.164


 
Cause

For sftp agent to work properly, it requires some permissions. For example,



  • Permission to access the log files path.
  • Permission to access the sftpagent directory for writing the temp and POS files.
  • Permission to access the registry for caching keys.
WorkaroundAfter windows upgrade to 2016, if the user account (member of a user group) does not have write permission, it is failed to write on a file in the agent directory.
Therefore, you need to add the write permission to the user group which runs sftpagent, and after then the agent will properly process the logs & logs will be collected successfully in log collector.

Attachments

    Outcomes