|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.1.2
|Issue||Ironport WSA sending logs to the log collector using file reader fail. The current message is "scp failed to transfer to 10.254.66.35:22 /usr/bin/rssh permission denied lost connection when using the file reader option.|
|Cause||User upload was not added to the rssh.conf file and the group did not have that user upload added.|
|Resolution||These are the variables involved getting an Ironport WSA version 9 to work with SA|
User = upload
add at the bottom “user=upload:011:00011”
group rsshusers – This is the default group (rsshusers) that has access to the restricted shell
The command below will add the user to the group. Note it has to be a lower case “g”.
The syntax of the command allows both an upper case & lower case g. But there is a difference.
usermod -g rsshusers upload
Ownership on home dir down to the rest of the recursive path
From the “var/netwitness/logcollector” dir issue this recursive command to change the
Ownership of the dir “upload” downward.
“chown –R upload:uploads upload”
This will change ownership from upload down allowing the job to write to the dir etc.
After verify the above settings, restart sshd with:
/etc/init.d /sshd stop
/etc/init.d ssh start