000033389 - RSA Security Analytics - SFTP Cache key to connect event source with STIG collector fails with error "Fatal: Received unexpected end-of-file from sftp server"

Document created by RSA Customer Support Employee on Jul 6, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033389
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance, SA Log Collector
RSA Version/Condition: 10.4.X, 10.5.X, 10.6.X
IssueDuring File collection event source integration, Cache key to connect event source with STIG Collector gives errors as below.
User-added image
CauseThis is error is due to "sftp" user password expired in STIG collector. This can be verified using below.
May 18 12:11:46 XXX sshd[4972]: pam_unix(sshd:account): expired password for user sftp (root enforced)

Please run chage -l sftp command in STIG collector to see password status for "sftp" user.
User-added image
Resolution As per STIG compliance, all user passwords need to be renewed for every 60 days. During File collection integration, make sure "sftp" user password not expired. If "sftp" user password need to be changed, Please use below steps.
      1. Login STIG collector ssh as administrator.
      2. Run passwd sftp to change password.
Note: Please use http://sadocs.emc.com/0_en-us/089_105InfCtr/215_SysAdm/ConfigurSTIG/00_Intro document for STIG compliant password.

      3. Please try Cache key step in Event source with psftp -i private.ppk -l sftp -v <Collector IP>