.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Windows server SFTP collection is not persistent for RSA NetWitness Platform Collector
Issue
Windows SFTP collection configured using SFTP Document. However, SFTP Collection frequently stops. Manual restart of SFTP Agent service in the Windows server starts collection again.Cause
This issue is due to the key caching mismatch with the user account.
Resolution
Please follow the below instructions for SFTP collection persistence.1. Please login to the Windows Server using any user account.
2. Open the command prompt and run the following command from the C:\sasftpagent directory:
psftp -i private.ppk -l sftp -v log_collector_IP_address
Where:
private.ppk is the file containing the private key.
log_collector_IP_address is the IP address of the Log Collector.
4. The system displays a prompt and some choices.
5. After the prompt, you can choose ' g' from the following options:
log_collector_IP_address is the IP address of the Log Collector.
4. The system displays a prompt and some choices.
5. After the prompt, you can choose ' g' from the following options:
- g: Global. If you enter 'g', the fingerprint is installed in the system environment, which is visible to all users.
Note: that if you enter the global value, you do not need to run the SFTP service as the user that installed the agent: any user can run the SFTP service.
- l: (lower case L) Local. If you enter 'l', the fingerprint is stored in the HKEY_LOCAL_USER registry hive, visible only to the currently logged-in user (and Administrators).
- n: Cancel. Cancels the registration procedure.
Note: that if you enter the global value, you do not need to run the SFTP service as the user that installed the agent: any user can run the SFTP service.
- l: (lower case L) Local. If you enter 'l', the fingerprint is stored in the HKEY_LOCAL_USER registry hive, visible only to the currently logged-in user (and Administrators).
- n: Cancel. Cancels the registration procedure.
5. At the psftp prompt, type quit, and press ENTER.
6. Start the SFTP Agent Service from Windows Services Control Panel.
6. Start the SFTP Agent Service from Windows Services Control Panel.
a. Type services.msc on the command line.
b. Start the SA SFTP Agent service.
b. Start the SA SFTP Agent service.
If no prompt shows to choose the Global option, Please follow the below instructions to delete existing keys cached Globally or Locally.
- Go to the Windows Search bar and type Registry Editor to select.
- The global keys will be cached in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
- Local keys will be cached in HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
- Right-click on the keys to display "delete" option to delete the key.
- Then retry the above key caching steps to choose Global option.
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X,12.X
Platform: CentOS
O/S Version: 7
Product Name: Windows Server
Summary
This document outlines the procedure for sftp collection persistence.
Approval Reviewer Queue
Technical approval queue