Skip to content
  • There are no suggestions because the search field is empty.

How to run the NetWitness SFTP Agent Service as 'Local System'

Issue

How to run the NW SA SFTP Agent service as "Local System"?

User-added


Resolution

The SFTP Agent Install Documentation for sasftpagent has the following note in the "Select User Account to Run SFTP Agent Service" section:

After you import the public key to the Log Collector, you must:

  •     Select either an existing user account, or
  •     Create a user account on the event source to run the SFTP Agent Service.
Note: The user account should be a member of the local admin group. The account must also have access to the files that are sent to Log Collector.
  • The SFTP Agent service must run as a user account with the correct permissions to access the logs, this is why the documentation recommends using a created user account which is a member of the local Admin group.
  • The key pair must be created, and cached whilst logged in with this user account. This is because the cached private key is a registry entry for just that login.

As the configuration documentation only explains how to add the private key into the registry for a user login, it seems the sasftpagent.exe won't work when running the service with "Log On As" = "Local System", because the private key won't be in the correct registry location.

To copy the cached private key from the registry entry from a working login, into a registry location for "Local System" to use, do the following:

  1. Follow the SFTP Agent configuration documentation, using a user login in the local Admin group.  Proceed through the steps to cache the key into the registry.

  2. Confirm the SFTP Agent program works for this user login either by running the program as a service with the user login, or running the sasftpagent software in verbose (-v) mode, which is described in the SFTP Agent configuration documentation.

  3. Run regedit (Start>Run>regedit.exe)

  4. Browse to Windows Registry entry, HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
    1. Make sure there is a key entry here for rsa2@22:{IP_Address}
    2. Where {IP_Address} = IP address of the SA Log Collector, or enVision Log Collector.

  5. Right-click SshHostKeys and Export to a {name}.reg file.

  6. Using a text edit to edit the {name}.reg file.

  7. Change the entry for: HKEY_CURRENT_USER to HKEY_USERS\.DEFAULT
    1. Save the changed {name}.reg file
    2. The exported {name}.reg file should appear similar to the example below.

Windows Registry Editor Version 5.00
[HKEY_USERS\.DEFAULT\Software\SimonTatham\PuTTY\SshHostKeys]
"rsa2@22:192.168.0.1"="0x23,0xad3fadd0fc763287609c7974cd5666f3c2540c4ae97cc64a8af0dc0bd87627f9a2019819a8fd52c44629f0e828eafc
95fa8fa72d23561659ddd5d44ba8bed631d5334721686bdb1ccbf77e977cc79fd2dcca68e0db52de2a954beea248a3cd77053e1efc98dd278a5e75c068c0
321cab7a10191e2a0215950ad8cfa94cf254857d9b04865dc4a8668c6367ba900e63a4c1af4d777665d1eb8144a62bfd7f2fb3915fdc4d397ad008925ffa
d0d7698ba069fa655c7bac708f2cf14df51da6cc62428cc4699feee10686b2ec278661ae48f2ad361f1c169109f2c17d9debda25c18c31bfce858f09dae0
40c946b786b1f2a48c3774b45090ddb8cc7b172e6f6bd5"


        8. Use the regedit, File -> Import to import the {name}.reg file back into the registry.

        9. Confirm the HKEY_USERS\.DEFAULT\Software\SimonTatham\PuTTY\SshHostKeys now exists in the registry

        10. Test running nicsftpagent.exe as a service with Log On = "Local System".

Alternate Use:
This regedit method to export and import the SshHostKeys registry entry will also work to copy the cached key to another user login, even on another Windows server.

As long as IP address of the SA Log Collector, or enVision Log Collector hasn't changed, and the key value hasn't changed.

Copy the {name}.reg file to the new Windows server.

Login with the new user login that will run the SFTP Agent service.

Double click the {name}.reg file, and confirm to add of the new registry entry.


Notes

WARNING: Using the Windows Registry Editor incorrectly can cause serious system-wide problems that may require you to re-install software.  Please use this tool cautiously, and at your own risk.

Internal Comments

UserName:shurtj
8/26/2014 4:23:45 PM - Updated Article
Updated article and made changes to abide by Primus best practices.
Updated links, and added an alternate use.


Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: SFTP Agent on Windows
NetWitness Version/Condition: 11.x, 12.x
Platform: Windows


Summary

How to run the RSA Windows SA SFTP Agent or NIC SFTP Agent service with Log On As = Local System


Approval Reviewer Queue

Technical approval queue