At this moment, Log Collector does not support SCP out of the box.
SCP can be enabled by performing the steps below.
1. Making sure the log collector is at least on Security Analytics version 10.3.2.
2. Make sure that rssh-2.3.3 (or newer) package is installed.
3. Using WinSCP, upload the package to log collector(/root).
4. Install the package using the following command: rpm -ivh rssh-2.3.3-2.el6.rf.x86_64.rpm
5. To verify the rpm is in the system, run the following command: rpm -qa | grep rssh
The output should show: rssh-2.3.3-2.el6.rf.x86_64
6. Run the following command: vi /etc/rssh.conf
7. Uncomment the line "allowscp" by removing the #, and add the following line:
8. Save the file by hitting the ESC key and entering :wq! and hit Enter
9. Change permissions for rssh binary and add user "xxxx" to the "rsshusers" group
Run the following command: vi /etc/group
At the end of last line, press 'I' to get into insert mode enter:
Note: xxxx can be any username BUT this username should be used on the event source when configuring the event source to sendi logs to Log Collector.
10. Add permissions to the rssh library with the following command: chmod a+x /var/netwitness/logcollector/upload_chroot/usr/bin/rssh
11. Upload support to SCP is achieved by running the lc_upload_support script which is located in the /opt/netwitness/bin/lc_upload_support directory.
Edit the script by running the following command: vi /opt/netwitness/bin/lc_upload_support
Remove the line "ftp_enabled=yes".
Save the file by hitting the ESC key and entering :wq! and hit Enter
Execute the script with the following command: sudo /opt/netwitness/bin/lc_upload_support -v install
Note: After running the script, it will start the service vstfpd
12. Proceed to configure on event source.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.