000032249 - How to enable SFTPAgent to send files originally generated in gz format by the Event Source instead of log or XML format in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000032249
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Virtual Log Collector (VLC), SFTPAgent
RSA Version/Condition: 10.4.1.x, 10.5.x
Platform: CentOS
O/S Version: EL6
IssueIn some situations, it may be necessary to send logs in the gz formats originally generated by the Event Source rather than log, txt or XML formats.
The Standard Configuration of SFTPAgent does not understand anything except for simple ASCII to send the files to Log Collector or VLC. Instead, it treats the gz files as simple text and hence it sends corrupt files.
ResolutionThe solution to this issue is to treat the gz files as binary streams by setting the following parameter in the sftpagent.conf file:
dir0.binary=true

The steps to do this are as follows:
  1. Stop File Collection on the VLC or Log Collector.
  2. Stop the agent service.
  3. Backup and Delete the POS directory in the agent installation directory( Directory that SFTPAgent writes position marker files to) if there is any.
  4. Add the the following flags in sftpagent.conf:
    dir0.binary=true
    dir0.compression=false  
    dir0.has_header=false

  5. Start the sftpagent.
  6. Start the File Collection on the VLC or Log Collector.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Attachments

    Outcomes

      Visibility: RSA NetWitness Platform Knowledge Base406 Views
      Last modified on Apr 21, 2017 9:02 PM
      Tags:
      Ratings: