.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
??????File collection fails to start with Operation not permitted error on an RSA NetWitness Platform Log Collector
Issue
When you try to start File collection method on a Log Collector, it fails and you observe the following error message in the logs:
NwLogCollector[775]: [FileCollection] [failure] Failed to start collection: Operation not permitted src: /home/upload/.ssh/authorized_keys tgt: /home/upload/.ssh/authorized_keys.bak
Resolution
This issue is likely due to the immutable attribute being set on the authorized_keys file in /home/upload/.ssh on the Log Collector.You can verify this by running the lsattr command. If you see the 'i' flag in the output, it means the immutable attribute has been set:
[root@nwlogcollector ~]# lsattr /home/upload/.ssh/authorized_keys
----i----------- /home/upload/.ssh/authorized_keys <========== immutable attribute set
----i----------- /home/upload/.ssh/authorized_keys <========== immutable attribute set
To resolve this, you will need to remove/unset the attribute using the chattr -i command:
chattr -i /home/upload/.ssh/authorized_keys
Verify that the flag has indeed been removed:
[root@nwlogcollector ~]# lsattr /home/upload/.ssh/authorized_keys
---------------- /home/upload/.ssh/authorized_keys <========== immutable attribute removed
---------------- /home/upload/.ssh/authorized_keys <========== immutable attribute removed
You should now be able to start the File collection.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Local Log Collector, Remote Log Collector
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Approval Reviewer Queue
KCS Approval queue