.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
The SFTP Agent is sending messages to the NetWitness Admin server on port 600 UDP
Issue
The SFTP Agent is sending data on the UDP port 600 that is not recognized by the server. This is not documented in any of the guides for the SFTP Agent.
Resolution
This is a hold over from the original RSA enVision server, in which port 600 was used to communicate with the server from the SFTP Agent service to log its own events.NetWitness has no knowledge of this port and it can be disabled from the actual sftp.conf file.
To do so, locate the sftpagent.conf file and change the logging level to have a value a value of zero, or comment the below parameters out, as shown in the example below.
#agent.logginglevel=0
#agent.logginghost=SA_IP
#agent.logginghost=SA_IP
Notes
The sftpagent.conf configuration will disable all SFTP Agent logs except for one. The one specified that is sending to the source sends on the directory line.Product Details
NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Netwitness Admin Server, SFTP Agent
NetWitness Version/Condition: 10.x, 11.x, 12.x
Platform: CentOS,AlmaLinux
Summary
The SFTP Agent is sending data on the UDP port 600 that is not recognized by the server.
Approval Reviewer Queue
Technical approval queue