000033072 - Error:"scp failed to transfer..." when trying to setup Ironport WSA proxy appliance to forward logs to RSA Security Analytics 10.5.1.2 via file reader

Document created by RSA Customer Support Employee on Jul 1, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033072
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.5.1.2
Platform: CentOS
 
IssueIronport WSA sending logs to the log collector using file reader fail. The current message is "scp failed to transfer to 10.254.66.35:22 /usr/bin/rssh permission denied lost connection when using the file reader option.
CauseUser upload was not added to the rssh.conf file and the group did not have that user upload added.
ResolutionThese are the variables involved getting an Ironport WSA version 9 to work with SA
 
User   =     upload
 
rssh.conf
                uncomment  allowscp
              uncomment  allowsftp
              add at the bottom   “user=upload:011:00011”
               
group rsshusers – This is the default group (rsshusers) that has access to the restricted shell
                The command below will add the user to the group. Note it has to be a lower case “g”.
               The syntax of the command allows both an upper case & lower case g. But there is a difference.
 
                usermod -g rsshusers upload
 
Ownership on home dir down to the rest of the recursive path
                From the “var/netwitness/logcollector” dir issue this recursive command to change the
               Ownership of the dir “upload” downward.
                                                   
               “chown –R upload:uploads  upload”
                This will change ownership from upload down allowing the job to write to the dir etc.

After verify the above settings, restart sshd with:
                                /etc/init.d /sshd stop
                                /etc/init.d ssh start
 

Attachments

    Outcomes