000026841 - How to enable the SCP collection method in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026841
Applies ToRSA Security Analytics
RSA Security Analytics 10.3.2
RSA Security Analytics 10.3.3
RSA Security Analytics Log Collector
IssueHow to enable  the SCP collection method in RSA Security Analytics.
Resolution

At this moment, Log Collector does not support SCP out of the box.


SCP can be enabled by performing the steps below.



1. Making sure the log collector is at least on Security Analytics version 10.3.2.


2. Make sure that rssh-2.3.3 (or newer) package is installed.


3. Using WinSCP, upload the package to log collector(/root).


4. Install the package using the following command:  rpm -ivh rssh-2.3.3-2.el6.rf.x86_64.rpm


5. To verify the rpm is in the system, run the following command:  rpm -qa | grep rssh


The output should show: rssh-2.3.3-2.el6.rf.x86_64


6. Run the following command:  vi /etc/rssh.conf


7. Uncomment the line "allowscp" by removing the #, and add the following line:


            user-upload:011:00011:"/var/netwitness/logcollector/upload_chroot"


8. Save the file by hitting the ESC key and entering :wq! and hit Enter


9. Change permissions for rssh binary and add user "xxxx" to the "rsshusers" group


            Run the following command: vi /etc/group


At the end of last line, press 'I' to get into insert mode enter:


            rsshusers:x:498:xxxx


            Note: xxxx can be any username BUT this username should be used on the event source when configuring the event source to sendi logs to Log Collector.


10. Add permissions to the rssh library with the following command:  chmod a+x /var/netwitness/logcollector/upload_chroot/usr/bin/rssh


11. Upload support to SCP is achieved by running the lc_upload_support script which is located in the /opt/netwitness/bin/lc_upload_support directory.


            Edit the script by running the following command: vi /opt/netwitness/bin/lc_upload_support


            Remove the line "ftp_enabled=yes".


            Save the file by hitting the ESC key and entering :wq! and hit Enter


            Execute the script with the following command:  sudo /opt/netwitness/bin/lc_upload_support -v install


            Note: After running the script, it will start the service vstfpd


12. Proceed to configure on event source.



 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa67242

Attachments

    Outcomes