This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Integrating The Windows Server 2003 thru Legacy Collector - Facing Challenges To Save File

Anonymous
Not applicable

‎2014-06-23 03:03 AM

Hello All,

 

             I am trying to integrate one of my Windows Server 2003 system with RSA SA thru Windows Legacy Collector.

All this is on Windows Server 2008 I am doing.

Everytime I tries to save the Sceregvl.inf after doing some changes in the file it prompts for ACCESS DENIED.

 

Below are the lines which I am saving in the above file.

 

Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf folder.

3. Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD

%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Directory

Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS

Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication

Service\CustomSD,1,%FRSCustomSD%,2

4. Add the following lines to the [Strings] section:

AppCustomSD="Eventlog: Security descriptor for Application event log"

SecCustomSD="Eventlog: Security descriptor for Security event log"

SysCustomSD="Eventlog: Security descriptor for System event log"

DSCustomSD="Eventlog: Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog: Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

5. Save the changes you made to the Sceregvl.inf file, and run the regsvr32 scecli.dll command.

 

Below is the screenshot when I tries to save the file with error.

Kindly suggest how I can save the file and will be able to install the Windows Legacy on Windows Server 2008.

legacy error.png

Thanks in advance.

0 Likes
7 REPLIES 7

RSAAdmin
Beginner
Beginner

‎2014-07-01 03:34 AM

hi,

It worked fine for me so it must be a local issue for you. Some obvious things I can think of checking:

 

  • are you logged on as domain admin?
  • are you logged onto the DC as per the guide?

 

Before you make any changes I'd suggest taking a copy of the Sceregvl.inf file.

If you are getting access denied messages check the event logs (security?) to check out the error.

 

Hope this helps.

0 Likes

Anonymous
Not applicable

‎2014-07-03 12:12 PM

Try to open notepad as Administrator.  Rightclick on notepad, select run as administrator, then open the file you want to edit.

0 Likes

Anonymous
Not applicable

‎2014-07-19 04:03 AM

Hi,  its worked for me when i use the domain administrator credential. but i can't add the windows legacy collector to SA.

 

are you able to add the windows legacy collector in SA?

 

i got problem to add the windows legacy collector. the windows legacy collector installed successfully on windows 2008 domain joined. but not able to add to SA.

Here is the log i found in sa.log.

2014-07-19 07:50:47,242 [CARLOS NextGen Heartbeat] WARN  org.springframework.web.client.RestTemplate - GET request for "http://10.0.0.140:50101/sys/stats/current.time" resulted in 401 (Unauthorized); invoking error handler

 

i also change and sync the clock at windows using UTC but still cannot.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-07-20 01:29 AM

All good now, manage to install 10.3.0 windows remote legacy collector on windows server 2008 and success ADD to SA.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-07-22 12:11 PM

Hello Md Salleh,

 

 

 

If you want to collect the logs of a MS Windows Server 2003 then you need to install a legacy collector on any MS Windows Server 2008 macine.

 

Then configure that collector settings on the Windows Server 2008 machine and add that particular IP in the SA and by choosing the log collector service in the add devices in SA, by the same way you add a log decoder and a log collector and in the IP field, enter the IP of server 2008, and then select the same device in SA and then go to View > Config and inside it enter the details of Server 2003.

 

 

 

It must works, as I had configured so many 2003 servers thru the same way.

 

 

 

Thanks & Regards,

 

Deepanshu Sood.

Anonymous
Not applicable
In response to Anonymous

‎2014-07-22 12:24 PM

hi deepanshu, thank you,

 

yes its working now. Its trouble me at first cause the permission issue on windows when installing windows legacy.

 

i discover one thing, the windows remote legacy version 10.3.3 (latest) can't install on windows server 2008.

I've to use windows remote legacy 10.3.0 to install on my windows server 2008.

0 Likes

xavierferrier
Beginner
Beginner

‎2014-07-28 05:25 AM

Hi,

 

We had the same issue to install the Windows Legacy Agent on Windows Server 2008. It was a permission issue .

 

This solution works also with the latest Windows Legacy Agent released on 16 July 2014 :

 

1. Log on to the Windows Server 2008 as a local administrator.

2. Make a backup copy of the c:\windows\inf\Sceregvl.inf file (security template containing system objects security policies) and save it somewhere safe and securely.

3. The Sceregvl.inf file was owned by the internal user TrustedInstaller and the local Administrators group only had ‘Read and execute’ and ‘Read’ only access to the file. So first, take ownership of the file and then gave it full access rights in order to edit it successfully:

Using windows explorer, secondary mouse click on the c:\windows\inf\Sceregvl.inf file and select ‘Properties’

 

Click on the ‘Security’ tab

Click the ‘Advanced’ button

Click the ‘Owner’ tab

Click the ‘Edit…’ button

Under “Change Owner to:” box, highlight the ‘Administrators’ group and click on OK

Read the Windows Security message window that pops up and click on

Click OK to close “Advanced Security Settings for Sceregvl.inf” form.

Click OK to close “Sceregvl.inf Properties” form.

 

4. Give the local Administrators group ‘Full Access’ to the Sceregvl.inf file:

 

Using windows explorer secondary mouse click on the c:\windows\inf\Sceregvl.inf file and select ‘Properties’

Click on the ‘Security’ tab

Click on the ‘Edit…’ button

Under “Group or User names:” box, highlight the ‘Administrators’ group

Under the “Permissions for Administrators:” box select ‘Full control’, under the Allow column and click OK

Click OK to close “Sceregvl.inf Properties” form.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.