2023-11-24 10:13 PM - edited 2023-11-24 10:14 PM
Hi Team,
please help me for VLC configuration to winrm log collection for Windows Server 2012 R2
i have done config on VLC side but VLC is giving error.
[root@DR-VLC ~]# rpm -qa |grep -i krb
pam_krb5-2.3.11-9.el6.x86_64
krb5-workstation-1.10.3-42z1.el6_7.x86_64
krb5-libs-1.10.3-42z1.el6_7.x86_64
[root@DR-VLC ~]# yum install krb5-libs-1.10.3-42z1.el6_7.x86_64
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
Package krb5-libs-1.10.3-42z1.el6_7.x86_64 already installed and latest version
Nothing to do
[root@DR-VLC ~]# yum install pam_krb5
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
Package pam_krb5-2.3.11-9.el6.x86_64 already installed and latest version
Nothing to do
[root@DR-VLC ~]# yum install krb5-workstation
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
Package krb5-workstation-1.10.3-42z1.el6_7.x86_64 already installed and latest v ersion
Nothing to do
[root@DR-VLC ~]# authconfig-tui
[root@DR-VLC ~]# kinit rsatest@PS.IN
kinit: Cannot contact any KDC for realm 'PS.IN' while getting initial credentia ls
[root@DR-VLC ~]# kinit rsatest@PS.IN
kinit: Cannot contact any KDC for realm 'PS.IN' while getting initial credentia ls
[root@DR-VLC ~]# vi /etc/hosts
[root@DR-VLC ~]# vi /etc/resolv.conf
[root@DR-VLC ~]# vi /etc/pam.d/netwitness
[root@DR-VLC ~]# vi /etc/krb5.conf
[root@DR-VLC ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: Determining if ip address 192.168.30.15 is already in use for device eth0...
[ OK ]
[root@DR-VLC ~]# kinit rsatest@PS.IN
kinit: Resource temporarily unavailable while getting initial credentials
[root@E30_VLC ~]# vi /etc/hosts
# Created by NetWitness Installer on Thu Oct 26 06:00:14 UTC 2023
127.0.0.1 DR-VLC DR-VLC.PS.IN localhost.localdom localhost
::1 DR-VLC DR-VLC.PS.IN localhost.localdom localhost ip6-localhost ip6-loopback
192.168.8.140 puppetmaster.local
192.168.30.15 DR-VLC.PS.IN DR-VLC
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = PS.IN
[realms]
PS.IN = {
kdc = dc1.ps.in
kdc = dc2.ps.in
kdc = dr.ps.in
admin_server = dc1.ps.in
}
[domain_realm]
ps.in = PS.IN
.ps.in = PS.IN
[root@DR-VLC ~]# vi /etc/pam.d/netwitness
##
## This configuration file configures NetWitness to use PAM login modules
## for authentication when setting the External Auth Type option for Netwitness User Accounts.
## For more information see the Linux-PAM System Administrators Guide
## http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
##
## Sample of standard UNIX authentication
##
#auth required pam_unix.so
#account required pam_deny.so
#password required pam_deny.so
#session required pam_deny.so
auth required pam_krb5.so no_user_check
[root@DR-VLC ~]# vi /etc/resolv.conf
nameserver 192.168.1.149
nameserver 192.168.1.164
nameserver 192.168.135.146
search ps.in
please guide me for right step to configure VLC for windows 2012 R2 log collection.
2023-11-28 05:10 PM
What are you using for instructions to set this up? Are you looking at any instructions or are you attempting to set this up without instructions?
Please review the following page: https://community.netwitness.com//t5/netwitness-platform-integrations/microsoft-winrm-configuration-and-troubleshooting/ta-p/563701 there are two integration documents in this location for setting up Windows 2012 R2. I'm not completely sure what versions of NetWitness this document is geared toward but I can tell from the copyright that it should be usable for your situation. Please review the documents and see if this helps you setup your VLC to collect from Windows 2012 R2. I know from experience that setting up WinRM connections in 10.6.6 is not an easy task as it can be very finicky. 11.x and 12.x are much better at it then previous versions.
Please note that as you are running 10.6.6, which has not been a supported version of NetWitness for more than 5 years, you will find that getting assistance with this old of an instance is going to be very difficult. Your organization really needs to upgrade to 12.2 or later of NetWitness to make sure that you can gain access to our NetWitness support organization. We can continue to try and provide some assistance via these discussion posts but please know that due to the age of the version of NetWitness it is going to get more and more difficult to find the answers you are looking for.
2023-11-28 05:10 PM
What are you using for instructions to set this up? Are you looking at any instructions or are you attempting to set this up without instructions?
Please review the following page: https://community.netwitness.com//t5/netwitness-platform-integrations/microsoft-winrm-configuration-and-troubleshooting/ta-p/563701 there are two integration documents in this location for setting up Windows 2012 R2. I'm not completely sure what versions of NetWitness this document is geared toward but I can tell from the copyright that it should be usable for your situation. Please review the documents and see if this helps you setup your VLC to collect from Windows 2012 R2. I know from experience that setting up WinRM connections in 10.6.6 is not an easy task as it can be very finicky. 11.x and 12.x are much better at it then previous versions.
Please note that as you are running 10.6.6, which has not been a supported version of NetWitness for more than 5 years, you will find that getting assistance with this old of an instance is going to be very difficult. Your organization really needs to upgrade to 12.2 or later of NetWitness to make sure that you can gain access to our NetWitness support organization. We can continue to try and provide some assistance via these discussion posts but please know that due to the age of the version of NetWitness it is going to get more and more difficult to find the answers you are looking for.
2023-12-02 03:02 AM
Hi @JohnKisner
Thanks for your concern about my problem.
I am very well aware about WinRM troubleshooting on windows side.
But i have not a knowledge about configuring a VLC (Centos 6.7 version) on the RSA netwitness 10.6.6.0 for WinRM.
So, i want details on VLC Config steps. and port details for this process.
my NTP SA and VLC have synchronized.
May this problem I am facing due to firewall or IPS is blocking the Commnication ports.
at last, but the most important point is my customer is not upgrading this OLD system.
as a Service provider, we are also suggesting for the upgrade.
2023-12-06 01:48 PM
Unfortunately all the 10.6 documentation has been removed from the Community due to its age. I don't have any documentation that I can point you to to help you with the configuration of the old VLC. As to the ports that the VLC uses to talk to the Windows server, the integration guide should provide those to you as part of the setup for pulling in those logs. As to setting up the VLC itself to communicate with NetWitness, that is a different story. Some of the current documentation can help here but there are things in 11.x that weren't there in 10.x and there are things in 10.x that are no longer in 11.x. What you really need is the old 10.6.x documentation that has been removed. Because of the age of 10.6 we collectively don't remember all the needed information to provide a successful VLC setup. I was able to assist with your hardware question because the hardware really hasn't changed much between the different versions, as to the VLC that is a different matter.
I'm sorry but I no longer have access to the documentation that you need nor do I have any offline copies. All I have access to is all I have provided. The customer must upgrade to something that we still have documentation for otherwise you are completely relying on the community's collective memory.
2023-12-06 07:44 PM
Hi @JohnKisner
Thanks for your concern and valuable time given to me.