I wanted to see if someone has previously configured to send logs by SCP Ironport, tried to do but did not get it, so you see what I did wrong, I did not find much information about it in the logs that sends syslog shows:
Nov 22 10:07:04 192.168.1.64 Nov 22 10:09:13 SystemLog: Critical: Log Error: Push error for subscription WebFilter_SIEM: SCP failed to transfer to 172.24.150.35:None: Protocol major versions differ: 1 vs. 2 lost connection
If someone has it happened, I would be very grateful.
The WSA has an option for SSH1 or SSH2 on the log subscription. I imagine most SSH servers have disabled version 1 so that could be your problem; I'd try selecting SSH2 on the WSA and giving it another try. Good luck!
I disabled the SSH1 in Ironport, but the problem persists.
I understand that when I set the SCP, the ironport generates a key that I should add to the splunk server authorized_keys, as I did and still do not get it, what else could be missing?
Hmm...I'm surprised that didn't fix it. To be clear, you're still getting the exact same error after setting the log subscription to SSH2? Do you have any log entries from the SSH host?
Hi, my configuration in Ironport is:
*SCP on Remote Server Maximum Time Interval Between Transferring:3600 Protocol: SSH2 SCP Host: 172.24.150.35 Directory: /opt/splunk/var/log/ Username: usrscp
something that may be missing?
I log out as the next:
Nov 26 15:43:48 192.168.1.64 Nov 26 15:44:19 SIEM_System: Critical: Error while sending alert: Unable to send System/Critical alert to firstname.lastname@example.org with subject "Critical <System> ironport.euromotors.com: Log Error: Push error for subscription SIEM_AccessC: SCP fai...".
I think the config looks fine. Something isn't right about that log message, though; it looks like it's logging a failure to send the alert email rather than the alert itself. Do you have the WSA configured to send email to you when this fails? Entries from both the WSA and the SSH server would be great.
A few guesses as to what else might be wrong:
- Directory permissions for /opt/splunk/var/log (should be writable by usrscp and at least readable by Splunk)
- Permissions for ~/.ssh for the usrscp user (should be 700).
- Permissions for ~/.ssh/authorized_keys (should be 644)