NetWitness SFTP File Collection Issue

Issue

All file collection logs are not being received by NetWitness Log Collector.
On the event source, we can see file transfer error occurrs with 'No such file or directory' in sasftpagent.log.

 2021-07-01 16:45:30 ERROR Could not transfer /home/envisionsrv/var/lib/rsa/sasftpagent/stage/eventsource_1_2021-06-29_I1.txt-20210701164529-0.tmp to sftp@192.168.xxx.xxx:"/upload/eventsource_1/eventsource_1/eventsource_1_2021-06-29_I1.txt-20210701164529-0.tmp" via sftp.
 
2021-07-01 16:45:30 ERROR stdout: sftp> put "/home/envisionsrv/var/lib/rsa/sasftpagent/stage/eventsource_1_2021-06-29_I1.txt-20210701164529-0.tmp" "/upload/eventsource_1/eventsource_1/eventsource_1_2021-06-29_I1.txt-20210701164529-0.tmp"
 
2021-07-01 16:45:30 ERROR stderr: I've read & consent to terms in IS user agreement.
 
2021-07-01 16:45:30 ERROR stderr: remote open("/upload/eventsource_1/eventsource_1/eventsource_1_2021-06-29_I1.txt-20210701164529-0.tmp"): No such file or directory^M

Cause

In the Log Collector, /upload/eventsource_1/eventsource_1/ directory exists under /var/netwitness/logcollector directory, but not /var/lib/logcollector directory.
Both of /var/netwitness/logcollector/upload/ and /var/lib/logcollector/upload/ should have same files and directories. But /var/lib/logcollector/upload is empty.

 # ls /var/netwitness/logcollector/upload
 
apache eventsource_1
 
# ls /var/lib/logcollector/upload
 
#

Checking /etc/fstab file, the line of /var/lib/logcollector/upload is commented out:

 # cat /etc/fstab
 
/dev/mapper/netwitness_vg00-root / xfs defaults 0 0
 
UUID=23f99e6b-dc7b-46c9-85e7-180a8d52853d /boot xfs defaults 0 0
 
/dev/mapper/netwitness_vg00-usrhome /home xfs nosuid 0 0
 
/dev/mapper/netwitness_vg00-varlog /var/log xfs defaults 0 0
 
/dev/mapper/netwitness_vg00-nwhome /var/netwitness xfs nosuid,noatime 0 0
 
/dev/mapper/netwitness_vg00-swap swap swap defaults 0 0
 
 #/var/netwitness/logcollector/upload /var/lib/logcollector/upload none bind 0 0
 
/var/netwitness/logcollector/upload /var/lib/logcollector/upload_chroot/home/upload/eventsources none bind 0 0

The above is not the default configuration, hinting that it was commented out intentionally and was never reverted back.

Resolution

Open /etc/fstab, remove the comment in the line of /var/lib/logcollector/upload then save and close.

vi /etc/fstab
Reload daemon.

systemctl daemon-reload
Mount the upload directory.

mount /var/lib/logcollector/upload

Product Details

NetWitness Product Set: NetWitness Platform
NetWitness Product/Service Type: Log Collector
NetWitness Version/Condition: 11.x, 12.x
Platform: Centos 7 / AlmaLinux 8.9

Approval Reviewer Queue

Technical approval queue

NetWitness SFTP File Collection Issue

Issue

Cause

Resolution

Open /etc/fstab, remove the comment in the line of /var/lib/logcollector/upload then save and close.

Reload daemon.

Mount the upload directory.

Product Details

Approval Reviewer Queue