Getting Data In

Ironport set by SCP

jrodriguezap
Contributor

Hello everyone.
I wanted to see if someone has previously configured to send logs by SCP Ironport, tried to do but did not get it, so you see what I did wrong, I did not find much information about it in the logs that sends syslog shows:

Nov 22 10:07:04 192.168.1.64 Nov 22 10:09:13 SystemLog: Critical: Log Error: Push error for subscription WebFilter_SIEM: SCP failed to transfer to 172.24.150.35:None: Protocol major versions differ: 1 vs. 2 lost connection

If someone has it happened, I would be very grateful.
regards,

Tags (3)
0 Karma

jtacy
Builder

The WSA has an option for SSH1 or SSH2 on the log subscription. I imagine most SSH servers have disabled version 1 so that could be your problem; I'd try selecting SSH2 on the WSA and giving it another try. Good luck!

0 Karma

jtacy
Builder

I think the config looks fine. Something isn't right about that log message, though; it looks like it's logging a failure to send the alert email rather than the alert itself. Do you have the WSA configured to send email to you when this fails? Entries from both the WSA and the SSH server would be great.

A few guesses as to what else might be wrong:
- Directory permissions for /opt/splunk/var/log (should be writable by usrscp and at least readable by Splunk)
- Permissions for ~/.ssh for the usrscp user (should be 700).
- Permissions for ~/.ssh/authorized_keys (should be 644)

jrodriguezap
Contributor

Hi, my configuration in Ironport is:

*SCP on Remote Server
  Maximum Time Interval Between Transferring:3600
  Protocol: SSH2
  SCP Host: 172.24.150.35
  Directory: /opt/splunk/var/log/
  Username: usrscp

something that may be missing?
I log out as the next:

Nov 26 15:43:48 192.168.1.64 Nov 26 15:44:19 SIEM_System: Critical: Error while sending alert: Unable to send System/Critical alert to alerts@ironport.com with subject "Critical <System> ironport.euromotors.com: Log Error: Push error for subscription SIEM_AccessC: SCP fai...".
0 Karma

jtacy
Builder

Hmm...I'm surprised that didn't fix it. To be clear, you're still getting the exact same error after setting the log subscription to SSH2? Do you have any log entries from the SSH host?

0 Karma

jrodriguezap
Contributor

Hello such.
I disabled the SSH1 in Ironport, but the problem persists.
I understand that when I set the SCP, the ironport generates a key that I should add to the splunk server authorized_keys, as I did and still do not get it, what else could be missing?

Thanks

0 Karma

jrodriguezap
Contributor

😞
a comment from someone?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...