John Kisner

Configure RSA NetWitness Log Collector for SCP Protocol

Discussion created by John Kisner Employee on Jan 19, 2017
Latest reply on Feb 6, 2017 by David Waugh

On 10.6.x Log Collectors, the SELinux environment prevents the SCP protocol from working with the default configuration. The following steps allow the SCP protocol to function.

 

Log Collector versions 10.6.2 and Later

The Log Collector configures SELinux to run Enforcing mode. This is required for the plugin collection protocol. If you have AWS Cloudtrail or Microsoft Azure event sources on a Log Collector, SELinux must remain in Enforcing mode.

 

The recommendation is to use a separate VLC for the File collection event sources using SCP. On this VLC, disable SELinux as mentioned below for Log Collector 10.6.0 and Later. This step MUST be performed whenever the Log Collector RPM is updated on this VLC.

 

Log Collector versions 10.6.0 and Later

By default, SELinux runs in Permissive mode. Disabling SELinux resolves the problem.

 

To configure RSA version 10.6.0 and 10.6.1 Log Collectors:

  1. Log into the Log Collector appliance.
  2. Edit the /etc/selinux/config file. Change the line from SELINUX=permissive or SELINUX=enforcing to SELINUX=disabled
  3. Save the file.
  4. Reboot the system.
  5. Confirm that SELinux is disabled by running the command sestatus. The command should return the following text:

 

SELinux status: disabled

Outcomes