NetWitness Community

FranklinFiguero · ‎2019-04-17

Hello guys,

I have the following: Domain controller with Win server 2008 R2, WinRM configured and passed connectivity with Netwitness, but only can see two events security logs (log on, log off), I already double check the configuration and looks fine.

Anyone know what could be happens?

DaveGlover · ‎2019-04-17

Franklin

Do you see all the events in the security event log?

Dave

FranklinFiguero · ‎2019-04-17

Yes Sir, all security events shows in Event viewer.

DaveGlover · ‎2019-04-17

Franklin

Do you see anything in the logs on the log collector saying anything like ‘resubscribing’

Dave

FranklinFiguero · ‎2019-04-22

Hello Dave,

I dont see any ‘resubscribing’

FranklinFiguero · ‎2019-04-22

I will share that, maybe can help,

As you can see, just those events can see in NW

DC07

sessionid	=	102381292945
time	=	2019-04-22T07:36:59.0
size	=	2295
lc.cid	=	"s460rsahbrl01"
forward.ip	=	127.0.0.1
device.host	=	"S460DC7.xxxxxxx.com"
medium	=	32
device.type	=	"winevent_nic"
device.class	=	"Windows Hosts"
header.id	=	"0004"
event.desc	=	"An account was successfully logged on."
event.user	=	"-"
logon.type	=	"3"
obj.name	=	"Impersonation"
user.dst	=	"BMoya"
domain	=	"BRRD"
alias.host	=	"-"
ip.src	=	172.xx.xx.xx
netname	=	"private src"
process	=	"Kerberos"
service.name	=	"-"
ec.theme	=	"Authentication"
ec.subject	=	"User"
ec.activity	=	"Logon"
ec.outcome	=	"Success"
event.time	=	2019-04-22 11:36:51.000
reference.id	=	"4624"
event.source	=	"Microsoft-Windows-Security-Auditing"
event.type	=	"Audit Success"
event.computer	=	"S460DC7.xxxxxxxx"
category	=	"Logon"
obj.type	=	"Impersonation Level"
logon.type.desc	=	"network"
disposition	=	"SUCCESS"
msg.id	=	"Security_4624_Microsoft-Windows-Security-Auditing"
event.cat.name	=	"User.Activity.Successful Logins"
device.group	=	"All Windows Event Source(s)"

DC06

sessionid	=	102380386677
time	=	2019-04-22T07:23:06.0
size	=	676

lc.cid	=	"s460rsahbrl01"
forward.ip	=	127.0.0.1
device.host	=	"s460dc6.xxxxxxxxx"
medium	=	32
device.type	=	"winevent_nic"
device.class	=	"Windows Hosts"
header.id	=	"0004"
event.desc	=	"An account was logged off."
user.dst	=	"BMoya"
domain	=	"BRRD"
logon.type	=	"3"
ec.subject	=	"User"
ec.activity	=	"Logoff"
event.time	=	2019-04-22 11:22:27.000
reference.id	=	"4634"
event.source	=	"Microsoft-Windows-Security-Auditing"
event.type	=	"Audit Success"
event.computer	=	"S460DC6.xxxxxxxx"
category	=	"Logoff"
logon.type.desc	=	"network"
disposition	=	"SUCCESS"
msg.id	=	"Security_4634_Microsoft-Windows-Security-Auditing"
event.cat.name	=	"User.Activity.Logoff"
device.group	=	"All Windows Event Source(s)"

sessionid	=	102381509787
time	=	2019-04-22T07:39:53.0
size	=	2115
lc.cid	=	"s460rsahbrl01"
forward.ip	=	127.0.0.1
device.host	=	"s460dc5.xxxxxxxxx"
medium	=	32
device.type	=	"winevent_nic"
device.class	=	"Windows Hosts"
header.id	=	"0004"
event.desc	=	"An account was successfully logged on."
event.user	=	"-"
logon.type	=	"3"
user.dst	=	"S460DC5$"
domain	=	"BRRD"
ip.src	=	192.168.0.1
netname	=	"private src"
process	=	"Kerberos"
service.name	=	"-"

ec.theme	=	"Authentication"
ec.subject	=	"User"
ec.activity	=	"Logon"
ec.outcome	=	"Success"
event.time	=	2019-04-22 11:39:48.000
reference.id	=	"4624"
event.source	=	"Microsoft-Windows-Security-Auditing"
event.type	=	"Audit Success"
event.computer	=	"s460dc5.xxxxxxxxxx"
category	=	"Logon"
obj.type	=	"Impersonation Level"
logon.type.desc	=	"network"
disposition	=	"SUCCESS"
msg.id	=	"Security_4624_Microsoft-Windows-Security-Auditing"
event.cat.name	=	"User.Activity.Successful Logins"
device.group	=	"All Windows Event Source(s)"

NetWitness Community

Can't receive Security logs from DC