000033389 - RSA Security Analytics - SFTP Cache key to connect event source with STIG collector fails with error "Fatal: Received unexpected end-of-file from sftp server"

Document created by RSA Customer Support Employee on Jul 6, 2016Last modified by RSA Customer Support on Apr 24, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033389
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Core Appliance, Security Analytics Log Collector
RSA Version/Condition: 10.4.X, 10.5.X, 10.6.X
Platform: CentOS
O/S Version: 6
IssueDuring the File collection event source integration, Cache key to connect the event source with the STIG Collector results in the following errors:

User-added image
CauseThis error is the result of the expired "sftp" user password in the STIG Collector.

This can be verified using the following.


May 18 12:11:46 XXX sshd[4972]: pam_unix(sshd:account): expired password for user sftp (root enforced)

To see the password status for the "sftp" user, run the following command in the STIG collector:

# chage -l sftp


User-added image
ResolutionAs per STIG compliance, all user passwords need to be renewed every 60 days. During the File collection integration, make sure that the "sftp" user password is not expired.

If the "sftp" user passwords need to be changed, use the following steps:

  1. Log into the STIG collector ssh session as an administrator.
  2. Run the following command to change the password. Note: Please use https://community.rsa.com/docs/DOC-78925 for information regarding STIG compliant passwords.

    # passwd sftp

  3. Try the Cache key step in the event source with the following command:

    # psftp -i private.ppk -l sftp -v <Collector IP>