NIC SFTP Agent
NIC SFTP Agent
Copyright © 2012 EMC Corporation. All Rights Reserved. Published in the USA. Thursday, May 30, 2013
RSA enVision NIC SFTP Agent Configuration
Contents
RSA enVision NIC SFTP Agent Configuration 4
NIC SFTP Agent Overview 5
Appendix 15
NIC SFTP Agent Parameters 19
3
RSA enVision NIC SFTP Agent Configuration
NIC SFTP Agent Overview
The SFTP agent is a client server architecture, the RSA enVision platform being the
server and the SFTP Agent—which is installed on the event source that sends logs to
enVision—being the client. To configure the agent, you install the agent on the event
source, configure the agent on the event source, generate keys on the client, and import
the keys onto the RSA enVision platform.
5 NIC SFTP Agent Overview
RSA enVision NIC SFTP Agent Configuration
2008 x86 No No
Note: Configure either the file, or the directory specifications. You cannot configure
both.
Setting Description
agent.logginghost agent.logginghost=enVision_IP
Change enVision_IP to the IP address of the RSA enVision server to
where the event source is sending log file information.
file0 file0=C:\path_to_first_log_file
file0.ftp Modify the parameter to match the complete path name of a log file.
You can set file1, file2, and so on, so that each log file is identified.
Alternatively, if the log files are located in the same directory, you
can set the dir0 parameter.
file0.ftp=enVision_IP,nic_sshd,publickey,event_source_
IPaddress
The values are as follows:
dir0 dir0.ftp=enVision_IP,nic_sshd,publickey,event_source_IPaddress
dir0.ftp The values are as follows:
Setting Description
4. Configure any of the other parameters based on your environment and the specific
event source that is sending its logs to the enVision platform. For details of all the
parameters, see NIC SFTP Agent Parameters.
5. Save the sftpagent.conf file.
Note: You create the key pair on the event source that is sending information to the
RSA enVision platform.
You should receive system feedback saying that the import was successful. If not, run the
command again.
Next, you either use an existing account or create a new user account for the SFTP Agent
Service.
Note: The user account should be a member of the local admin group. The account
must also have access to the files that are sent to the enVision platform.
3. Modify the NIC SFTP Agent Service to use this user account.
a. Right-click NIC SFTP Agent, and select Properties.
b. Click the Log On tab.
c. Select This account.
d. Type the user name and password for the account that you are using to run the
SFTP Agent Service.
e. Click OK.
4. Log off from the event source, then log back on using this new user account.
5. The user account that runs these steps must be the same user that will run the service.
To see your username, type the following command at a command prompt:
echo %USERDOMAIN%/%USERNAME%
The system displays your current user name. (Make note of your user name.)
Next, you must cache the keys for the connection.
Appendix
The appendix for the NIC SFTP Agent documentation contains the following sections:
Troubleshooting the NIC SFTP Agent
Upgrade to the NIC SFTP Agent
NIC SFTP Agent Parameters
NIC SFTP Sample Files
15 Appendix
RSA enVision NIC SFTP Agent Configuration
To resolve the issue, find or recreate the file and move it to the NIC SFTP Agent
installation directory.
Or, you may receive a message like the following if there is a key issue:
Offered public key
Server refused our key
Server refused public key
nic_sshd@enVision_IP's password:
To resolve the issue, regenerate the key pairs and re-import the private key onto the
RSA enVision platform.
Appendix 16
RSA enVision NIC SFTP Agent Configuration
Password Issue
If you need to reset your password, you receive a Usage Warning message, and the
system requests a password such as the following:
nic_sshd@enVision_IP's password:
17 Appendix
RSA enVision NIC SFTP Agent Configuration
Note: If you have a multiple appliance site with Enhanced Availability, all Cluster
Appliances (CAs) must be able to support all LC roles. This means you must specify the
same configuration information on each CA in the Enhanced Availability system.
Appendix 18
RSA enVision NIC SFTP Agent Configuration
NIC SFTP Agent Parameters
The following tables describe the SFTP Agent parameters that are available for
configuration. The parameters are separated into agent, file, and directory categories.
Note: Configure either the file, or the directory specifications. You cannot configure
both.
Agent Parameters
The following agent parameters are available.
Setting Description
agent.logginghost Hostname or IP address of the enVision appliance to which the logs will be sent. This
is the address or hostname of your enVision appliance. For multiple appliance sites,
this is the address or hostname of your D-SRV.
Important: : You must change this value before running the SFTP Agent.
agent.logginglevel Highest level of logging collected. The values are 0 (least verbose) to 7 (most
verbose). The default value is 6, which is the sftpagent logging level for internal debug
messages.
agent.poscleaninterval Time interval for deletion of the POS directory. The POS folder contains temporary
files created by the SFTP Agent.
If not configured, the agent does not purge the POS folder. The default value is 0,
which means that you must manually clean up the POS folder. The syntax of the
parameter is n-u, where n represents the number and u represents the unit. Use any of
the following units:
l s: seconds
l min: minutes
l h: hours
l d: days
l w: weeks
l y: years. One year (1-y) is the maximum value. Setting the parameter higher
than 1-y sets the cleanup interval to the maximum interval of one year.
For example, to set the cleanup interval to every two minutes, use the following:
agent.poscleaninterval=2-min
agent.retrysendfile Number of times the agent attempts to resend the log file. For systems with a high
data transfer rate and a large volume of messages, you may send the files multiple
times. This helps ensure that enVision receives the data, even in cases where some
file transmissions fail due to network congestion.
19 Appendix
RSA enVision NIC SFTP Agent Configuration
Setting Description
The default value is 3. Acceptable values are 1 to 10. To turn off the feature and to
send files only once, set the value to 0.
File Parameters
The following file parameters are available.
Setting Description
fileN There is an issue that occurs on Windows 64-bit Operating System, such as Windows Server 2008,
Windows 7, and Windows Vista. A 32-bit application cannot access any files in the
%windir%\System32\ path because the OS redirects them to the %windir%\SysWOW64\ path.
The workaround is to configure the NIC SFTP Agent to use the following file specification:
file0=c:\windows\sysnative\target.txt
fileN.interval The amount of time (in seconds) to wait between file checks.
fileN.compression Data is compressed before sending when the value is true, and not when false.
fileN.enabled File is monitored when the value is true, and ignored when false.
Defines FTP settings, including the host and directory where files in the monitored directory are to be sent
and the credentials to be used. The syntax is as follows:
server_IP,port,nic_sshd,publickey,directory
where:
l server_IP is the name or IP address of the enVision appliance. You must replace the
text server_IP with the IP address of the enVision appliance (in a multiple appliance
site use the IP address of the LC where the event source is configured).
fileN.ftp Important: You must change this value prior to running the SFTP Agent.
l port sets the port to listen on. You do not need to set this parameter if you are using
the default port.
l nic_sshd,publickey sets the authentication to use the nic_sshd user (which is required)
and to use public key authentication. For multiple appliance sites, place the public
keys on the LC where the event source is being collected (the same as server_ip
address).
l directory is the directory on the remote appliance relative to the enVision/ftp_files
Appendix 20
RSA enVision NIC SFTP Agent Configuration
Setting Description
directory for this event source configuration. For example, if this IIS event source IP
address is 11.22.33.444, the remote directory would be IIS_11.22.33.444.
Important: You must change this value prior to running the SFTP Agent.
Note: The directory settings for the fileN.ftp key should match the settings from the NIC
File Reader Service configuration.
fileN.suffix
(optional, Suffix attached to the file names of some event sources, only if the event source type has a suffix. For
depending on the example, Cisco Secure ACS files have a suffix.
event source type)
fileN.delete_after_ Deletes the file after the data in the file has been successfully sent to RSA enVision via FTP when the
read value is true.
Set to false if the log file does not have a header line at the top. Set to true for all other cases. If the value is
true, the header is sent with every file.
fileN.has_header
Note: This field is only available for RSA enVision 3.3.5 and later.
Directory Parameters
The following directory parameters are available.
Setting Description
Directory to monitor. This value can contain wildcards, for example, Logfiles matches the Logfiles directory;
LogFiles* matches directories such as LogFiles1, LogFiles2 and so on.
dirN.dirspec
Note: Wildcard and regular expression strings are case sensitive.
dirN.interval The amount of time (in seconds) to wait between directory checks.
dirN Data is compressed before sending when the value is true, and not when false.
21 Appendix
RSA enVision NIC SFTP Agent Configuration
Setting Description
.compression
dirN.enabled Directory is monitored when the value is true, and ignored when false.
Defines FTP settings, including the host and directory where files in the monitored directory are to be sent and
the credentials to be used. The syntax is as follows:
server_IP,port,nic_sshd,publickey,directory
l server_IP is the name or IP address of the enVision appliance. You must replace the text
server_IP with the IP address of the enVision appliance (in a multiple appliance site use
the IP address of the LC where the event source is configured).
Important: You must change this value prior to running the SFTP Agent.
l port sets the port to listen on. You do not need to set this parameter if you are using the
default port.
l nic_sshd,publickey sets the authentication to use the nic_sshd user (which is required) and
dirN.ftp to use public key authentication. For multiple appliance sites, place the public keys on the
LC where the event source is being collected (the same as server_ip address).
l directory is the directory on the remote appliance relative to the enVision/ftp_files
directory for this event source configuration. For example, if this IIS event source IP address
is 11.22.33.444, the remote directory would be IIS_11.22.33.444.
Important: You must change this value prior to running the SFTP Agent.
Note: The directory settings for the dirN.ftp key should match the settings from the NIC File
Reader Service configuration.
For example, in a multiple appliance site, if the LC is 11.22.33.444, and the IIS is 11.22.33.5, the line is:
dir0.ftp=11.22.33.444,nic_sshd,publickey,IIS_11.22.33.5
dirN.has_ Set to false if the log file does not have a header line at the top of the file. Set to true in all other cases. If true,
header the header is sent with every file transfer. (this field is available for enVision release 3.3.5 and later).
Appendix 22
RSA enVision NIC SFTP Agent Configuration
For example, the NIC SFTP sample file for Apache Tomcat could be located at the
following folder:
E:\nic\4000\SRV\etc\devices\apachetomcat\sftp\sftpagent.conf.apachetomcat.
23 Appendix