000026841 - How to enable the SCP collection method in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026841
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.2
RSA Security Analytics 10.3.3
RSA Security Analytics Log Collector
IssueHow to enable  the SCP collection method in RSA Security Analytics.

At this moment, Log Collector does not support SCP out of the box.

SCP can be enabled by performing the steps below.

1. Making sure the log collector is at least on Security Analytics version 10.3.2.

2. Make sure that rssh-2.3.3 (or newer) package is installed.

3. Using WinSCP, upload the package to log collector(/root).

4. Install the package using the following command:  rpm -ivh rssh-2.3.3-2.el6.rf.x86_64.rpm

5. To verify the rpm is in the system, run the following command:  rpm -qa | grep rssh

The output should show: rssh-2.3.3-2.el6.rf.x86_64

6. Run the following command:  vi /etc/rssh.conf

7. Uncomment the line "allowscp" by removing the #, and add the following line:


8. Save the file by hitting the ESC key and entering :wq! and hit Enter

9. Change permissions for rssh binary and add user "xxxx" to the "rsshusers" group

            Run the following command: vi /etc/group

At the end of last line, press 'I' to get into insert mode enter:


            Note: xxxx can be any username BUT this username should be used on the event source when configuring the event source to sendi logs to Log Collector.

10. Add permissions to the rssh library with the following command:  chmod a+x /var/netwitness/logcollector/upload_chroot/usr/bin/rssh

11. Upload support to SCP is achieved by running the lc_upload_support script which is located in the /opt/netwitness/bin/lc_upload_support directory.

            Edit the script by running the following command: vi /opt/netwitness/bin/lc_upload_support

            Remove the line "ftp_enabled=yes".

            Save the file by hitting the ESC key and entering :wq! and hit Enter

            Execute the script with the following command:  sudo /opt/netwitness/bin/lc_upload_support -v install

            Note: After running the script, it will start the service vstfpd

12. Proceed to configure on event source.


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa67242