.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Configuring Remote Log Collector for SCP Protocol usage on RSA NetWitness Log & Network 10.6.x
Issue
On Log Collectors for RSA NetWitness Log & Network 10.6.x, the SELinux environment prevents the SCP protocol from working with the default configuration.Resolution
Log Collector versions 10.6.2 and later
The Log Collector configures SELinux to run Enforcing mode. This is required for the plugin collection protocol. If you have AWS Cloudtrail or Microsoft Azure event sources on a Log Collector, SELinux must remain in Enforcing mode.The recommendation is to use a separate VLC for the File collection event sources using SCP. On this VLC, disable SELinux as mentioned below for Log Collector 10.6.0 and Later. This step MUST be performed whenever the Log Collector RPM is updated on this VLC.
Log Collector versions 10.6.0 and later
By default, SELinux runs in Permissive mode. Disabling SELinux resolves the problem.To configure RSA version 10.6.0 and 10.6.1 Log Collectors
- Log into the Log Collector appliance.
- Edit the /etc/selinux/config file.
- Change the line from SELINUX=permissive or SELINUX=enforcing to:
SELINUX=disabled
- Save the file.
- Reboot the system.
- Confirm that SELinux is disabled by running the command sestatus. The command should return the following text:
SELinux status: disabled
Product Details
RSA Product Set: NetWitness Logs & NetworkRSA Product/Service Type: Log Collector, Remote Collector
RSA Version: 10.6.x
Summary
On 10.6.x Log Collectors, the SELinux environment prevents the SCP protocol from working with the default configuration.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue