Dave Glover

Issues with setting up SFTP agent collection

Discussion created by Dave Glover Employee on Sep 17, 2020

Lately I have been using the sftpagent quite a bit for moving log files to NetWitness.  I have been running into the same issue on installs recently.


The issue happens on the first sftpagent agent connection to a log collector.


After installing the agent and creating a ssh key you need to run the following command to accept the log collector host key


psftp -i private.ppk -l sftp -v log_collector_IP_address


When that command runs it connects to the log collector and stores the host key. 


After accepting the key and storing it you get the following error:




In checking the 'secure' log on the log collector you see:



The issue is that the 'sftp' account has expired.  You need to change the password in order to activate the account.


This is done my issuing the following command


passwd sftp


You will then be prompted to change the password.  It does not matter what password you pick, although it should be  documented.  The sftpagent uses certificate authentication vs password auth, which is why it does not matter what you set the password to.


Once this is done you can rerun the "psftp -i private.ppk -l sftp -v log_collector_IP_address" command


You should see the following:



Once you see the "Access granted" line, you are good to continue setting up the sftpagent config.