Troubleshooting
Problem
The following error is seen on a Log File SFTP protocol log source configured with SSH Key File:
Error: invalid private key: [B@19fa1e96
Symptom
- The log source status is Error.
- When the Test tool runs on the Log Source Management app, this error message appears:
Testing DNS resolution of [xxxxxx] - Passed - Successfully resolved [xxxxxx] to IP [x.x.x.x] Testing TCP connection to [xxxxxx:22] - Passed - Attempting TCP connection to [xxxxxx:22] with a timeout of 10000 ms - Successful TCP connection to [xxxxxx:22] Testing [SFTP] connection to [xxxxxx:22] - Failed - Using SSH key authenticating as <user>. - Connecting to 'xxxxxx' on port 22... - Error: invalid privatekey: [B@19fa1e96 Validating remote directory [/folder] - Cancelled Validating file pattern [.*] - Cancelled Events (0): - Error: One or more tests have failed - cancelling sample event collection
- The following error is logged in /var/log/qradar.error:
Sep 13 16:10:44 <...> com.q1labs.semsources.sources.remote.testing.sftp.SFTPConnectionSubtester: [ERROR] com.jcraft.jsch.JSchException: invalid privatekey: [B@4f3bcaa2
Cause
The error happens because QRadar uses the Java Secure Channel library (JSch).
The new versions of OpenSSH (7.8 and newer) generate keys in new OpenSSH formats by default, which are not supported by JSch.
The new OpenSSH key format starts with:
-----BEGIN OPENSSH PRIVATE KEY-----
Resolving The Problem
To resolve the issue, you need to change the key format from OPENSSH to RSA:
- SSH to the QRadar console.
- Move to the folder where you put the key for this log source configuration.
cd /opt/qradar/conf/keys/
- Take a backup of the original certificate file.
cp -p <key_file> /storetmp/ibm_support/certbackup
Note: If the backup location does not exist, create directory structure. - Change the key format by running the following command.
ssh-keygen -p -f <key_file> -m pem -P "" -N ""
- Update the key path field for log source configuration in the Log Source Management app with the new .pem key name.
Result:
The Log File SFTP log source is able to collect the logs without any error.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS014169196","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
29 May 2024
UID
ibm17035593