.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness SFTP collection from Linux is not sending logs to multiple SA_DIRECTORY destinations
Issue
Linux event source sasftpagent.conf file has multiple SA_DIRECTORY as below. But logs being sent only to the last SA_DIRECTORY=/upload/artie/artifactory01sasftpagent.conf:
DATA_DIRECTORY=/var/log/
FILESPEC=artifactory-request*.log
SA_DIRECTORY=/upload/artrequest/artifactory01
DATA_DIRECTORY=/var/log/
FILESPEC=artifactory-import-export.log
SA_DIRECTORY=/upload/artie/artifactory01
FILESPEC=artifactory-request*.log
SA_DIRECTORY=/upload/artrequest/artifactory01
DATA_DIRECTORY=/var/log/
FILESPEC=artifactory-import-export.log
SA_DIRECTORY=/upload/artie/artifactory01
/var/log/rsa/sasftpagent.log show only last section of DATA_DIRECTORY, FILESPEC, SA_DIRECTORY being considered for transferring files to NetWitness.
2020-10-12 14:15:01 INFO Logging to /var/log/rsa/sasftpagent.log.
2020-10-12 14:15:01 INFO ----------------------------------------------------
2020-10-12 14:15:01 INFO Current Time: Mon Oct 12 14:15:01 IST 2020 IST
2020-10-12 14:15:01 INFO Command: /root/sasftpagent.sh
2020-10-12 14:15:01 INFO Log Collector: 172.10.10.10
2020-10-12 14:15:01 INFO Data Directory: /var/log/
2020-10-12 14:15:01 INFO Data Files: artifactory-import-export.log
2020-10-12 14:15:01 INFO Recursion Depth: 1
2020-10-12 14:15:01 INFO LC Directory: /upload/artie/artifactory01
2020-10-12 14:15:01 INFO Transfer Method: SFTP
2020-10-12 14:15:01 INFO Transfer Username: sftp
2020-10-12 14:15:01 INFO Identity File: /root/.ssh/id_rsa
2020-10-12 14:15:01 INFO Remove Flag: no
2020-10-12 14:15:01 INFO Header Lines: 0
2020-10-12 14:15:01 INFO State Directory: /var/lib/rsa/sasftpagent
2020-10-12 14:15:01 INFO Lock Timeout: 300
2020-10-12 14:15:01 INFO PID: 11526
2020-10-12 14:15:01 INFO Login Name: root
2020-10-12 14:15:01 INFO Effective User: root
2020-10-12 14:15:01 INFO Home Directory: /root/
2020-10-12 14:15:01 INFO Working Directory: /root
2020-10-12 14:15:01 INFO Shell Command: sasftpagent.sh
2020-10-12 14:15:01 INFO Command Arguments: /bin/sh /root/sasftpagent.sh
2020-10-12 14:15:01 INFO ----------------------------------------------------
2020-10-12 14:15:01 INFO Configuration was read from /etc/rsa/sasftpagent.conf
2020-10-12 14:15:01 INFO ----------------------------------------------------
2020-10-12 14:15:01 INFO Current Time: Mon Oct 12 14:15:01 IST 2020 IST
2020-10-12 14:15:01 INFO Command: /root/sasftpagent.sh
2020-10-12 14:15:01 INFO Log Collector: 172.10.10.10
2020-10-12 14:15:01 INFO Data Directory: /var/log/
2020-10-12 14:15:01 INFO Data Files: artifactory-import-export.log
2020-10-12 14:15:01 INFO Recursion Depth: 1
2020-10-12 14:15:01 INFO LC Directory: /upload/artie/artifactory01
2020-10-12 14:15:01 INFO Transfer Method: SFTP
2020-10-12 14:15:01 INFO Transfer Username: sftp
2020-10-12 14:15:01 INFO Identity File: /root/.ssh/id_rsa
2020-10-12 14:15:01 INFO Remove Flag: no
2020-10-12 14:15:01 INFO Header Lines: 0
2020-10-12 14:15:01 INFO State Directory: /var/lib/rsa/sasftpagent
2020-10-12 14:15:01 INFO Lock Timeout: 300
2020-10-12 14:15:01 INFO PID: 11526
2020-10-12 14:15:01 INFO Login Name: root
2020-10-12 14:15:01 INFO Effective User: root
2020-10-12 14:15:01 INFO Home Directory: /root/
2020-10-12 14:15:01 INFO Working Directory: /root
2020-10-12 14:15:01 INFO Shell Command: sasftpagent.sh
2020-10-12 14:15:01 INFO Command Arguments: /bin/sh /root/sasftpagent.sh
2020-10-12 14:15:01 INFO ----------------------------------------------------
2020-10-12 14:15:01 INFO Configuration was read from /etc/rsa/sasftpagent.conf
Tasks
SA_Directory can only hold single value in Linux. Multi-valued SA_Directory is not supported as per the design for Linux sftp collection.Resolution
In Linux, sending all log files to only one SA_Directory works.Windows SFTP agent can handle multiple instances as the settings in the config file are in dirN format as below. But Linux SFTP agent is little different. It does not support dirN format.
dir0={ARTIFACTORY_HOME}/logs
dir0.filespec=access.log
dir0.interval=60
dir0.compression=false
dir0.enabled=true
dir0.ftp=<enVisionServer_IP>,nic_sshd,publickey,ART_ACCESS_<ARTIFACTORY_IP>
dir1={ARTIFACTORY_HOME}/logs
dir1.filespec=request.log
dir1.interval=60
dir1.compression=false
dir1.enabled=true
dir1.ftp=<enVisionServer_IP>,nic_sshd,publickey,ART_REQUEST_<ARTIFACTORY_IP>
dir0.filespec=access.log
dir0.interval=60
dir0.compression=false
dir0.enabled=true
dir0.ftp=<enVisionServer_IP>,nic_sshd,publickey,ART_ACCESS_<ARTIFACTORY_IP>
dir1={ARTIFACTORY_HOME}/logs
dir1.filespec=request.log
dir1.interval=60
dir1.compression=false
dir1.enabled=true
dir1.ftp=<enVisionServer_IP>,nic_sshd,publickey,ART_REQUEST_<ARTIFACTORY_IP>
Product Details
RSA Product Set: RSA NetWitness Logs & NetworkRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.2.0
Platform: CentOS
O/S Version: 7
Summary
This document outlines the supported sftp collection as per design.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue