Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Ironport set by SCP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ironport set by SCP
Hello everyone.
I wanted to see if someone has previously configured to send logs by SCP Ironport, tried to do but did not get it, so you see what I did wrong, I did not find much information about it in the logs that sends syslog shows:
Nov 22 10:07:04 192.168.1.64 Nov 22 10:09:13 SystemLog: Critical: Log Error: Push error for subscription WebFilter_SIEM: SCP failed to transfer to 172.24.150.35:None: Protocol major versions differ: 1 vs. 2 lost connection
If someone has it happened, I would be very grateful.
regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The WSA has an option for SSH1 or SSH2 on the log subscription. I imagine most SSH servers have disabled version 1 so that could be your problem; I'd try selecting SSH2 on the WSA and giving it another try. Good luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the config looks fine. Something isn't right about that log message, though; it looks like it's logging a failure to send the alert email rather than the alert itself. Do you have the WSA configured to send email to you when this fails? Entries from both the WSA and the SSH server would be great.
A few guesses as to what else might be wrong:
- Directory permissions for /opt/splunk/var/log (should be writable by usrscp and at least readable by Splunk)
- Permissions for ~/.ssh for the usrscp user (should be 700).
- Permissions for ~/.ssh/authorized_keys (should be 644)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, my configuration in Ironport is:
*SCP on Remote Server
Maximum Time Interval Between Transferring:3600
Protocol: SSH2
SCP Host: 172.24.150.35
Directory: /opt/splunk/var/log/
Username: usrscp
something that may be missing?
I log out as the next:
Nov 26 15:43:48 192.168.1.64 Nov 26 15:44:19 SIEM_System: Critical: Error while sending alert: Unable to send System/Critical alert to alerts@ironport.com with subject "Critical <System> ironport.euromotors.com: Log Error: Push error for subscription SIEM_AccessC: SCP fai...".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm...I'm surprised that didn't fix it. To be clear, you're still getting the exact same error after setting the log subscription to SSH2? Do you have any log entries from the SSH host?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello such.
I disabled the SSH1 in Ironport, but the problem persists.
I understand that when I set the SCP, the ironport generates a key that I should add to the splunk server authorized_keys, as I did and still do not get it, what else could be missing?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
😞
a comment from someone?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Deep insights, no barriers: Splunk Observability Cloud Free Edition
Monitoring AI Agents with Splunk Observability Cloud
[Puzzles] Solve, Learn, Repeat: Tiling
