This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Unable to collect events from non-domain controllers

RSAAdmin
Beginner
Beginner

‎2014-03-26 08:04 AM

Off-late we are experiencing a strange issue, we are unable to pull logs from non-domain controllers. However with the same event source able to pull events from Domain controllers.

 

While investigating we found the below error message.

 

[windows:WrkUnit[1]:3549] [doWork:165] [NawrasAd.10_x_x_x] [processing] [NawrasAd.10_x_x_x] Unable to subscribe for events with Windows event source 10.x.x.x: 401/Unauthorized.

Possible causes:

- Event source (10.x.x.x) not a FQDN. DNS resolution failed or does not map to a Kerberos Realm.

 

 

Recently we upgraded SA to 10.3 after the suggestion from technical support, yet issue persists.

 

Thanks in advance.

0 Likes
27 REPLIES 27

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-01 06:17 AM

I have different timezones: one timezone on log collector, legacy log collector and another on domain controllers, non-domain controllers and non-domain servers. And all of the collection works. So it isn't the issue.

I suggest using a script and not setting up winrm manually. It's here:

Also Collector log contains useful info

Try it and ping us back

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-01 07:12 AM

Different time zone - no problem, problem if time between Kerberos server and client more then 5 minutes...

0 Likes

RSAAdmin
Beginner
Beginner

‎2014-04-07 03:41 AM

Issue is still not resolved. Any other comments or thoughts?

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-07 08:45 AM

Did you try enabling winrm with a script that I was referring to? Can you resolve ip/name from collector?

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-07 08:48 AM

Yes, I tired the winrm set script yet no luck. Also I am able to resolve IP to DNS name from collector...

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-07 09:12 AM

Then can you show Kerberos config, event source config, they may be misconfigured.

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-04-07 09:14 AM

can you try winrs command from another machine to confirm the winrm is working fine?

 

for example i tested in my lab:

winrs -r:https://srv6.exchange.local:5986 -u:administrator -p:Passw0rd2 dir

 

If you using https, you need add the certificate.

0 Likes

Anonymous
Not applicable

‎2014-06-11 06:01 AM

Sorry, I wasn't able to reply sooner. Thx you all for the tips.

In my case, Kerberos wasn't set correctly. Now it is working as a charm.

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-06-11 11:08 AM

glad you resolved your problem. 🙂

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-07-15 04:04 AM

What was the issue with Kerberos ? What exactly you did to resolve it?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.