000033072 - Error:"scp failed to transfer..." when trying to setup Ironport WSA proxy appliance to forward logs to RSA Security Analytics via file reader

Document created by RSA Customer Support Employee on Jul 1, 2016Last modified by RSA Customer Support on Jul 9, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033072
Applies ToRSA Product Set: RSA NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4.x, 10.5.x, 10.6.x
Platform: CentOS
IssueIronport WSA fails when sending logs to the log collector using file reader. The current message is "scp failed to transfer to /usr/bin/rssh permission denied lost connection" when using the file reader option.
CauseUser upload was not added to the rssh.conf file and the group did not have that user upload added.
ResolutionThese are the variables involved getting Ironport WSA version 9 to work with NetWitness
User   =     upload
              uncomment  allowscp
              uncomment  allowsftp
              add at the bottom   “user=upload:011:00011”
group rsshusers – This is the default group (rsshusers) that has access to the restricted shell
              The command below will add the user to the group. Note it has to be a lower case “g”.

usermod -g rsshusers upload

Ownership on home dir down to the rest of the recursive path
                From the “var/netwitness/logcollector” dir issue this recursive command to change the
                ownership of the dir “upload” downward.

chown –R upload:uploads upload

After verifying the above settings, restart sshd with:

/etc/init.d sshd stop
/etc/init.d sshd start