Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness Logdecoder getting Unidentified content warnings from Windows File Collection event sources

Issue

Windows File Collection event source that is configured using  Install and Update the SFTP Agent and File Collection logs are coming as expected. But, There are unidentified content warnings as below from Event Source.

/var/log/messages:
Dec 29 07:45:41 LogDecoder NwLogDecoder[121731]: [SYSLOG] [warning] Unidentified content from 10.10.10.10:58933 received on syslog receiver: '@10.1.1.1 <6> %NIC-6-251036: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 2404: Host 10.10.10.10'
Dec 29 07:45:54 LogDecoder NwLogDecoder[121731]: [SYSLOG] [warning] Unidentified content from 10.10.10.10:54780 received on syslog receiver: '@10.1.1.1 <5> %NIC-5-251015: SFtp Agent, SFtp Agent, -, -, -, -, Detail: 2280: Host 10.10.10.10'

These warnings indicating the traffic is from SFTP agent which has been configured as file collection event source in LogCollector->Config->Event Sources->File/Config page.

Cause

These unidentified warnings are due to SFTP agent service logs coming from Windows SFTP agent.


Resolution

Please follow the below steps to stop these warnings.
  1. Login to Windows Event source and edit sasftpagent.conf file to comment out below line.
    #agent.logginghost=
     
  2. Restart SFTP agent service on the Windows Services page.
  3. Then Verify Logdecoder /var/log/messages as these unidentified content warnings must have stopped.

Product Details

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7

Summary

This article outlines the procedure to stop unidentified content warnings from Windows File collection event sources.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue