|Applies To||RSA Product Set: RSA NetWitness Logs & Network|
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
|Issue||Ironport WSA fails when sending logs to the log collector using file reader. The current message is "scp failed to transfer to 10.254.66.35:22 /usr/bin/rssh permission denied lost connection" when using the file reader option.|
|Cause||User upload was not added to the rssh.conf file and the group did not have that user upload added.|
|Resolution||These are the variables involved getting Ironport WSA version 9 to work with NetWitness|
User = upload
add at the bottom “user=upload:011:00011”
group rsshusers – This is the default group (rsshusers) that has access to the restricted shell
The command below will add the user to the group. Note it has to be a lower case “g”.
Ownership on home dir down to the rest of the recursive path
From the “var/netwitness/logcollector” dir issue this recursive command to change the
ownership of the dir “upload” downward.
After verifying the above settings, restart sshd with: