This topic tells you how to download the RSA Security Analytics Secure FTP Agent and make the appropriate modifications for log collection.
You must use the SFTP protocol to upload events from File event sources to the Log Collector. See File Collection Protocol Configuration Guide for more details about configuring event sources.
RSA recommends that you use RSA Security Analytics Secure FTP Agent, which you can download from the RSA SecurCare Online (SCOL) Customer Support website. The SFTP Agent on SCOL consists of the binaries to install the SFTP Agent. You configure these binaries as described here, in this document. As part of the install process, you generate a public/private keypair.
You need to create a user account for the file transfer on each Windows event source that sends data to the Log Collector. The accounts can have any name, but the documentation assumes the accounts are named sftp.
Install and Update the SA SFTP Agent
Complete the following steps to configure the SA SFTP agent on the event source:
- Run Microsoft Visual C++ 2005 Redistributable Package on Event Source.
- Install SA SFTP Agent on Event Source.
- Generate Key Pair on Event Source and Import Public Key to Log Collector.
- Select User Account to Run SA SFTP Agent Service.
- Cache Keys for Connection.
- Set Up SA SFTP Agent on Event Source.
- Start SA SFTP Agent Service from Windows Services Control Panel.
To run the Microsoft Visual C++ 2005 redistributable package:
Download either of the following packages to the event source:
Microsoft Visual C++ 2005 Redistributable Package (x86):
Microsoft Visual C++ 2005 SP1 Redistributable Package (x86):
- Click Download and run vcredist_x86.exe.
Caution: You must use the RSA Security Analytics Secure FTP Agent.
To install the SA SFTP Agent on the event source:
- Search for the RSA Security Analytics Secure FTP Agent on RSA SecurCare Online (SCOL).
Choose your OS:
- For a Windows client, click Secure FTP Agent to download the binaries.
- For a UNIX client, click Unix Secure FTP Agent to download the binaries.
- Complete the rest of these instructions to install the SFTP Agent onto the event source.
To generate the key pair on the event source and import the public key to Log Collector:
- Double-click puttygen.exe in the C:\sasftpagent directory. The PuTTY Key Generator starts.
- Select SSH2 RSA as the type of key to generate.
- Click Generate and move the mouse in the PuTTY Key Generator window until the key is generated.
Save the private key:
- Click Save private key.
- Select Yes to not use a passphrase.
- Save the file as private.ppk in the C:\sasftpagent directory.
Add the public key to the Log Collector:
Copy the public key into your buffer so that you can paste it into the parameter in Security Analytics as described in step 5b.
In the following example, the public key is enclosed in a red box.
Paste the public key from your buffer into the Eventsource SSH Key parameter in Security Analytics. For details, see the Configure File Event Sources topic in the RSA Security Analytics Log Collection Guide.
- Close the puttygen.
After you import the public key to the Log Collector, you must:
- Select either an existing user account, or
- Create a user account on the event source to run the SFTP Agent Service.
To create a user account on the event source:
- In the Windows Start menu, click Programs > Administrator Tools > ActiveDirectory users and computers.
Click Action > New > User and create a new user under which you want the service to run.
Note: The user account should be a member of the local admin group. The account must also have access to the files that are sent to Log Collector.
Modify the SA SFTP Agent Service to use this user account:
- Right-click SA SFTP Agent and select Properties.
- Click the Log On tab.
- Select This account.
- Type the user name and password for the account that you are using to run the SFTP Agent Service.
- Click OK.
Log off the event source and log back on using the new user account.
Note: The user account that runs these steps must be the same user that runs the service.
- Cache the keys for the connection.
After you create the user account that runs the SA SFTP Agent service, you must cachethe keys to connect the event source to the Log Collector.
To cache the keys on the event source:
- Log on the machine with the account you selected for the SA SFTP Agent Service.
Run the following command from the C:\sasftpagent directory:
psftp -i private.ppk -l sftp -v ngc-ip
- private.ppk is the file containing the private key
- ngc-ip is the IP address of the Log Collector
The system displays a message that the server host key is not in the registry.
- Type Y, and press ENTER to trust the host.
- At the psftp prompt, type quit, and press ENTER.
The key is now cached in the registry of the event source.
To set up the SA SFTP agent on the event source:
- Go to the SA SFTP agent install directory (default directory is C:\sasftpagent).
- Sample configuration files are located within the sasftpagent directory. These samples are named according to the corresponding event source. For example the Microsoft IIS event source sample SFTP configuration file is named sftpagent.conf.microsoftiis.
Create the file C:\sasftpagent\sftpagent.conf, and use the appropriate sample file to configure according to the following legend.
Parameter Description agent.logginhost
Hostname or IP address of the Log Collector to which the logs will be sent.
Location of the logs files for the event sources on your local windows system.
Files that you want to send to the Log Collector from the above location. In this example, any file with the *.log extension is sent to the Log Collector.
Amount of time between file transfers. You can modify this value.
If the log has a header at the top of the log file, set this to true. If the log file does not have a header, set it to false.
Value can be true or false.
- Set to true to use compression. Log files are compressed and then sent in a .gz format to the Log Collector.
- Set to false to not use file compression.
Value is set to true. Do not modify this value because if you change it to false, you do not send any log files to the Log Collector.
This path can be found on the Log Collector within the following path:
Appended to the end of that path is the value you enter for the File Directory parameter when you create the event source in the Security Analytics User Interface.
Value is either true or false. Value of true deletes the files after the agent sends the logs to destination.
- Save the file, making sure the file name stays the same (that is, make sure not to append a .txt extension to the file)..
- Type services.msc on the command line.
- Start the SA SFTP Agent service.
Example Configuration Files
The following are examples of the sftpagent.conf file for various event sources.
An example configuration file for setting up a Microsoft IIS server:
An example configuration file for setting up an Apache event source:
dir0=C:\Program Files\Apache Group\Apache2\logs
Troubleshoot the SA SFTP Agent
To troubleshoot, you must first stop the service, and then run a command to view debugging messages.
To troubleshoot the SA SFTP Agent:
- Stop the SA SFTP Agent Service from the Windows Services window.
- Open a new command shell and change directories to the SA SFTP Agent installation directory.
- Review the debug messages that are displayed.
The following sections describe some possible messages and how to fix the corresponding issues.
Error Opening SFTP Agent Configuration File
If the SFTP configuration file is missing, you get the following error:
Error opening file: sftpagent.conf
To resolve the issue, find or recreate the file and move it to the SA SFTP Agent installation directory.
Private Key Issues
If there is a problem with the generation of the key files, you may receive a message similar to the following:
Reading private key file "private.ppk"
Unable to use this key file (unable to open file)
Unable to use key file "private.ppk" (unable to open file)
Or, you may receive a message like the following if there is a key issue:
Offered public key
Server refused our key
Server refused public key
To resolve the issue, regenerate the key pairs and push the key to the Log Collector.