Getting Data In
Highlighted

Ironport set by SCP

Communicator

Hello everyone.
I wanted to see if someone has previously configured to send logs by SCP Ironport, tried to do but did not get it, so you see what I did wrong, I did not find much information about it in the logs that sends syslog shows:

Nov 22 10:07:04 192.168.1.64 Nov 22 10:09:13 SystemLog: Critical: Log Error: Push error for subscription WebFilter_SIEM: SCP failed to transfer to 172.24.150.35:None: Protocol major versions differ: 1 vs. 2 lost connection

If someone has it happened, I would be very grateful.
regards,

Tags (3)
0 Karma
Highlighted

Re: Ironport set by SCP

Communicator

😞
a comment from someone?

0 Karma
Highlighted

Re: Ironport set by SCP

Builder

The WSA has an option for SSH1 or SSH2 on the log subscription. I imagine most SSH servers have disabled version 1 so that could be your problem; I'd try selecting SSH2 on the WSA and giving it another try. Good luck!

0 Karma
Highlighted

Re: Ironport set by SCP

Communicator

Hello such.
I disabled the SSH1 in Ironport, but the problem persists.
I understand that when I set the SCP, the ironport generates a key that I should add to the splunk server authorized_keys, as I did and still do not get it, what else could be missing?

Thanks

0 Karma
Highlighted

Re: Ironport set by SCP

Builder

Hmm...I'm surprised that didn't fix it. To be clear, you're still getting the exact same error after setting the log subscription to SSH2? Do you have any log entries from the SSH host?

0 Karma
Highlighted

Re: Ironport set by SCP

Communicator

Hi, my configuration in Ironport is:

*SCP on Remote Server
  Maximum Time Interval Between Transferring:3600
  Protocol: SSH2
  SCP Host: 172.24.150.35
  Directory: /opt/splunk/var/log/
  Username: usrscp

something that may be missing?
I log out as the next:

Nov 26 15:43:48 192.168.1.64 Nov 26 15:44:19 SIEM_System: Critical: Error while sending alert: Unable to send System/Critical alert to alerts@ironport.com with subject "Critical <System> ironport.euromotors.com: Log Error: Push error for subscription SIEM_AccessC: SCP fai...".
0 Karma
Highlighted

Re: Ironport set by SCP

Builder

I think the config looks fine. Something isn't right about that log message, though; it looks like it's logging a failure to send the alert email rather than the alert itself. Do you have the WSA configured to send email to you when this fails? Entries from both the WSA and the SSH server would be great.

A few guesses as to what else might be wrong:
- Directory permissions for /opt/splunk/var/log (should be writable by usrscp and at least readable by Splunk)
- Permissions for ~/.ssh for the usrscp user (should be 700).
- Permissions for ~/.ssh/authorized_keys (should be 644)