Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] Configuring a log source to use SSH keys

0

0

Article ID: KB34702 KB Last Updated: 27 Jul 2019Version: 1.0
Summary:

This procedure outlines how to create and copy of the SSH keys for systems that JSA interacts with over SSH. An example of where this procedure might be required is for log sources or vulnerability scan data that JSA retrieves using SSH. The process outlines how to create and configure SSH authorized keys.

Symptoms:

When configuring a log source in JSA, administrators can configure the log source to use an SSH authorized key. If the remote system is not configure properly, the following error might be generated in /var/log/qradar.error as the authorized_key file does not exist.

ERROR - Event Collection Status: Problem gathering/parsing events
ERROR - File Transfer Status: Could not transfer file(s)
ERROR - Authentication Status: Auth Failed: ssh connection failed to
root@IP Address :22 with exception: java.io.FileNotFoundException: /root/.ssh/keysgss (No such directory)
ERROR - Event Collection Status: Problem gathering/parsing events
ERROR - File Transfer Status: Could not transfer file(s)
ERROR - Authentication Status: Auth Failed: ssh connection failed to root@IP Address:22
Cause:

Lacking or improperly configured SSH keys.

Solution:
  1. Generate a SSH2 key pair on JSA to create a public and private SSH key:

    ssh-keygen -t dsa
  2. Optional. Copy the public (.pub) key over to JSA managed host that is managing the log source.

    Note: For All-in-One appliances, this step is not required. For JSA deployments with multiple appliances, the public key must reside on the managed host making the SSH connection.

    scp <file>.pub user@<IP>:/filelocation
  3. On the remote server containing the event data, create a .ssh directory for your account. This step is only required if the .ssh directory does not exist.

    mkdir -p ~/.ssh
    touch ~/.ssh/authorized_keys
    chmod 600 ~/.ssh/authorized_keys
  4. Copy the .pub file into the authorized_keys directory on the remote server.

    cat ~/<filename>.pub >> ~/.ssh/authorized_keys
  5. On the JSA appliance, configure the log source with the path to the private key file generated in step 1.

    NOTE: The private key is a different file from the .pub key that was copied.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search