Install and Update the SFTP Agent

Document created by RSA Information Design and Development on May 19, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 7Show Document
  • View in full screen mode
  

Overview

This topic tells you how to download the RSA Security Analytics Secure FTP Agent and make the appropriate modifications for log collection.

You must use the SFTP protocol to upload events from File event sources to the Log Collector. See File Collection Protocol Configuration Guide for more details about configuring event sources.

RSA recommends that you use RSA Security Analytics Secure FTP Agent, which you can download from the RSA SecurCare Online (SCOL) Customer Support website. The SFTP Agent on SCOL consists of the binaries to install the SFTP Agent. You configure these binaries as described here, in this document. As part of the install process, you generate a public/private keypair.

You need to create a user account for the file transfer on each Windows event source that sends data to the Log Collector. The accounts can have any name, but the documentation assumes the accounts are named sftp.

Install and Update the SA SFTP Agent

Complete the following steps to configure the SA SFTP agent on the event source:

  1. Run Microsoft Visual C++ 2005 Redistributable Package on Event Source.
  2. Install SA SFTP Agent on Event Source.
  3. Generate Key Pair on Event Source and Import Public Key to Log Collector.
  4. Select User Account to Run SA SFTP Agent Service.
  5. Cache Keys for Connection.
  6. Set Up SA SFTP Agent on Event Source.
  7. Start SA SFTP Agent Service from Windows Services Control Panel.

Run Microsoft Visual C++ 2005 Redistributable Package Edit section

To run the Microsoft Visual C++ 2005 redistributable package:

  1. Download either of the following packages to the event source:

  2. Click Download and run vcredist_x86.exe.

Install SA SFTP Agent on the Event Source

Caution: You must use the RSA Security Analytics Secure FTP Agent.

To install the SA SFTP Agent on the event source:

  1. Search for the RSA Security Analytics Secure FTP Agent on RSA SecurCare Online (SCOL).
  2. Choose your OS:

    • For a Windows client, click Secure FTP Agent to download the binaries.
    • For a UNIX client, click Unix Secure FTP Agent to download the binaries.
  3. Complete the rest of these instructions to install the SFTP Agent onto the event source.

Generate Key Pair on Event Source and Import Public Key to Log Collector

To generate the key pair on the event source and import the public key to Log Collector:

  1. Double-click puttygen.exe in the C:\sasftpagent directory. The PuTTY Key Generator starts.
  2. Select SSH2 RSA as the type of key to generate.
  3. Click Generate and move the mouse in the PuTTY Key Generator window until the key is generated.
  4. Save the private key:

    1. Click Save private key.
    2. Select Yes to not use a passphrase.
    3. Save the file as private.ppk in the C:\sasftpagent directory.
  5. Add the public key to the Log Collector:

    1. Copy the public key into your buffer so that you can paste it into the parameter in Security Analytics as described in step 5b.

      In the following example, the public key is enclosed in a red box.

    2. Paste the public key from your buffer into the Eventsource SSH Key parameter in Security Analytics. For details, see the Configure File Event Sources topic in the RSA Security Analytics Log Collection Guide.

  6. Close the puttygen.

Select User Account to Run SFTP Agent Service

After you import the public key to the Log Collector, you must:

  • Select either an existing user account, or
  • Create a user account on the event source to run the SFTP Agent Service.

To create a user account on the event source:

  1. In the Windows Start menu, click Programs > Administrator Tools > ActiveDirectory users and computers.
  2. Click Action > New > User and create a new user under which you want the service to run.

    Note: The user account should be a member of the local admin group. The account must also have access to the files that are sent to Log Collector.

  3. Modify the SA SFTP Agent Service to use this user account:

    1. Right-click SA SFTP Agent and select Properties.
    2. Click the Log On tab.
    3. Select This account.
    4. Type the user name and password for the account that you are using to run the SFTP Agent Service.
    5. Click OK.
  4. Log off the event source and log back on using the new user account.

    Note: The user account that runs these steps must be the same user that runs the service.

  5. Cache the keys for the connection.

Cache Keys for Connection

After you create the user account that runs the SA SFTP Agent service, you must cachethe keys to connect the event source to the Log Collector.

To cache the keys on the event source:

  1. Log on the machine with the account you selected for the SA SFTP Agent Service.
  2. Run the following command from the C:\sasftpagent directory:

    psftp -i private.ppk -l sftp -v ngc-ip

    where:

    • private.ppk is the file containing the private key
    • ngc-ip is the IP address of the Log Collector

    The system displays a message that the server host key is not in the registry.

  3. Type Y, and press ENTER to trust the host.
  4. At the psftp prompt, type quit, and press ENTER.

The key is now cached in the registry of the event source.

Set Up the SA SFTP Agent on the Event Source

To set up the SA SFTP agent on the event source:

  1. Go to the SA SFTP agent install directory (default directory is C:\sasftpagent).
  2. Sample configuration files are located within the sasftpagent directory. These samples are named according to the corresponding event source. For example the Microsoft IIS event source sample SFTP configuration file is named sftpagent.conf.microsoftiis.
  3. Create the file C:\sasftpagent\sftpagent.conf, and use the appropriate sample file to configure according to the following legend.

                                                   
    ParameterDescription
    agent.logginhost

    Hostname or IP address of the Log Collector to which the logs will be sent.

    dir0

    Location of the logs files for the event sources on your local windows system.

    dir0.filespec

    Files that you want to send to the Log Collector from the above location. In this example, any file with the *.log extension is sent to the Log Collector.

    dir0.interval

    Amount of time between file transfers. You can modify this value.

    dir0.has_header

    If the log has a header at the top of the log file, set this to true. If the log file does not have a header, set it to false.

    dir0.compression

    Value can be true or false.

    • Set to true to use compression. Log files are compressed and then sent in a .gz format to the Log Collector.
    • Set to false to not use file compression.

    dir0.enabled

    Value is set to true. Do not modify this value because if you change it to false, you do not send any log files to the Log Collector.

    dir0.ftp

    Log Collector-ip-address,sftp,sftp,publickey,//upload/event-source-type/filedirectory

    This path can be found on the Log Collector within the following path:

    /var/netwitness/logcollector/upload/

    Appended to the end of that path is the value you enter for the File Directory parameter when you create the event source in the Security Analytics User Interface.

    dir0.delete_after_read

    Value is either true or false. Value of true deletes the files after the agent sends the logs to destination.

  4. Save the file, making sure the file name stays the same (that is, make sure not to append a .txt extension to the file)..

Start SA SFTP Agent Service from Windows Services Control Panel

  1. Type services.msc on the command line.
  2. Start the SA SFTP Agent service.

Example Configuration Files

The following are examples of the sftpagent.conf file for various event sources.

An example configuration file for setting up a Microsoft IIS server:

agent.logginghost=<ngc-ip>
dir0=C:\inetpub\logs\LogFiles\W3SVC1
dir0.filespec=*.log
dir0.interval=60
dir0.has_header=false
dir0.compression=false
dir0.enabled=true
dir0.ftp=<ngc-ip>,>,sftp,sftp,publickey,//upload/iis_tvm/IIS
dir0.delete_after_read=true

An example configuration file for setting up an Apache event source:

dir0=C:\Program Files\Apache Group\Apache2\logs
dir0.filespec=access_log*
dir0.interval=60
dir0.has_header=false
dir0.compression=true
dir0.enabled=true
dir0.ftp=enVisionIP,nic_sshd,publickey,APACHE_10.10.31.155

Troubleshoot the SA SFTP Agent

To troubleshoot, you must first stop the service, and then run a command to view debugging messages.

To troubleshoot the SA SFTP Agent:

  1. Stop the SA SFTP Agent Service from the Windows Services window.
  2. Open a new command shell and change directories to the SA SFTP Agent installation directory.
  3. Type:

    sasftpagent -v

  4. Review the debug messages that are displayed.

The following sections describe some possible messages and how to fix the corresponding issues.

Error Opening SFTP Agent Configuration File

If the SFTP configuration file is missing, you get the following error:

Error opening file: sftpagent.conf

To resolve the issue, find or recreate the file and move it to the SA SFTP Agent installation directory.

Private Key Issues

If there is a problem with the generation of the key files, you may receive a message similar to the following:

Reading private key file "private.ppk"
Unable to use this key file (unable to open file)
Unable to use key file "private.ppk" (unable to open file)

Or, you may receive a message like the following if there is a key issue:

Offered public key
Server refused our key
Server refused public key

To resolve the issue, regenerate the key pairs and push the key to the Log Collector.

You are here
Table of Contents > Install and Update the SFTP Agent

Attachments

    Outcomes