Skip to content
  • There are no suggestions because the search field is empty.

Which nicsftpagent to use for transferring device log files to RSA Security Analytics

Issue

Which nicsftpagent to use for transferring device log files to RSA Security Analytics.
How to install the Windows sftp agent software for transferring device log files to RSA Security Analytics.

Cause

The problem with using the sftpagent4100 in SA is with the nicsftpagent.exe that comes with this version of the software.  The nicsftpagent.exe tries to do the upload using the command,

  psftp.exe -i private.ppk -l sftp -batch -b {unique hex number}.script {SA Log Collector IP} -P 22

The {unique hex number}.script file contains,

  cd "//upload/{device_type}/{source name}"
  put "{file name to upload}.gz"

The problem with the 4.1 psftp.exe is that it can?t do, cd "/upload/{device_type}/{source name}"
It gets the error, "Directory /upload/{device_type}/{source name}: permission denied"

You can temporarily fix this by giving increased write permission (like chmod 777) to the Log Collector directory, /var/netwitness/logcollector/upload//{device_type}/{source name}
However when the nwlogcollector service restarts it reverts the permissions on this folder back to the default permissions (chmod 331).


The reason the sftpagent3700b0378 works is because the {unique number}.script file only contains,

  put "{file name to upload}.gz" "//upload/{device_type}/{source name}/{file name to upload}.gz"

The psftp.exe can do a put into the Log Collector unix directory, but can?t do a cd.



Resolution

The RSA Security Analytics (SA) sasftpagent software for Windows and Unix operating systems are available for download from the RSA SCOL website, RSA Security Analytics SFTP Agents.

The RSA enVision 3.7.0 Secure FTP Agent Update, where the current Windows executable is sftpagent3700b0378.exe can also work with RSA Security Analytics (SA) to transfer device log files via sftp.

The RSA enVision 4.1.0 Secure FTP Agent, does NOT work with RSA Security Analytics (SA).

The RSA Security Analytic Online Documentation site includes details on how to configure the sasftpagent, and nicsftpagent for SA, see SA Online Documentation topic Install and Update SFTP Agent.



Notes

The sasftpagent software, RSA_sasftpagent4100b0009.exe is now released, see Jira# ESE-1221.

Internal Comments

UserName:shurtj
5/21/2014 7:56:41 PM - Changed Solution Type
Changed Solution Type from 3.X Compatibility to Solution so that the Audience field would be present. Technical review is still needed.

UserName:saxonj
6/9/2014 2:36:14 PM - Tech Review
Fixed a minor typo in capitalization. Consider clarifying the Title and Goals. Changed the fact statement from "Security Analytics 10.x" to "RSA Security Analytics 10.3 and below." This appears to be more consistent with guidelines. Changed type from "informational" to "how to". Changed "Submitted" from no to yes. This is not essential and does not stop it from publishing. The links are functional but difficult to read because they are so long. Wonder if we should hide the full link behind labels. Also added a couple of CF+LF in the fix to help with formatting. Set status to "copy edited" and emailed author.

UserName:shurtj
7/9/2014 9:30:41 PM - Modified Title and Corrected Broken Link
Modified the title to be more descriptive. Primus is truncating the URL because it is too long, so the link was changes to return the search results for the page instead.

UserName:vwareham
8/4/2014 12:50:18 AM - sasftpagent now available
Updating article, now that the sasftpagent is available for download.

UserName:shurtj
8/7/2014 8:21:09 PM - Change Audience
Change audience to internal.


Product Details

RSA Security Analytics 10.3 and below
sasftpagent
nicsftpagent
sftpagent
INTERNAL ONLY!!!