Skip to content
  • There are no suggestions because the search field is empty.

How to Configure File Event Source in NetWitness using the SFTP Transfer method for Linux servers

Issue

How to Configure File Event Source in RSA Security Analytics using the SFTP Transfer method for Linux servers.


Resolution

This can be configured with the following steps:

1- Create a user account on both the LogCollector and the event source and assign a password for it.

2- Create the directory /usr/local/nic on the event source server and make sure the account created in the previous step has full access to it (rwx).

3- Make sure the created account on the event source has read access to the log files inside the logs location.

4- Switch user to the user created in step 1 and generate a SSH Key pair with the following command, which will create a private key (id_rsa) and public key (id_rsa_pub) in ~/.ssh/ by default.:  ssh-keygen -b 1024 -t rsa

5- Copy the public key to the authorized keys on the LogCollector with the following command:  ssh-copy-id -i ~/.ssh/id_rsa.pub

6- Configure the event source in the SA UI Administration -> Devices -> LogCollector -> Config  -> Event Sources -> File and take note of the Directory name.

7- This will create a directory for this event source in /var/netwitness/logcollector/upload/

Make sure you assign full privileges (rwx) for the account created in step 1 to this directory and subdirectories.

8- Download and configure the nicsftpagent.sh script following the instructions in the knowledgebase article Understanding the sasftpagent.sh SFTP file transfer shell script and it's usage in RSA Security Analytics.

9- SCP the script to /usr/local/nic on the event source and make sure the user created in step 1 has execute permissions on it.

10- Execute the script with the user account created in step 1.

11- When run successfully, you can schedule it in Cron.


Notes

Archiving this in favor of  https://community.netwitness.com/s/article/677992 (Configure SFTP Shell Script File Transfer Community maintained document)


Internal Comments

UserName:shurtj
8/7/2014 4:59:52 PM - Retired Article
Retired article prior to Salesforce migration as required scripts are not available in the article.

UserName:shurtj
8/7/2014 5:04:45 PM - Updated Article
Updated the article to instead refer to KB article a64914 and published it as internal rather than external.

Jaseel K - 7 May 2024
Updated 'Title', 'Applies To' and 'Categories' section.

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: All Nodes
NetWitness Version/Condition: 11.x, 12.x or later
Platform: CentOS/Alma Linux

Approval Reviewer Queue

Technical approval queue