This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows logs are not coming to RSA NetWitness Platform due to "bookmark as 1" errors

Article Number

000001655

Applies To

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.3.1.0
Platform: CentOS
O/S Version: 7
 

Issue

Windows event source configured as per WinRM configuration guide and Test connection success. However, logs are not coming to NetWitness due to below errors in Collector.

/var/log/messages: 
Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] Bookmarks received: Application=204,Security=1,System=108
Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] [processing] [WorkUnit] [processing] Remote event source [windowshost] has returned bookmark as '1' for one or more channels which maye be an error.Discarding pulled events and reverting bookmarks for all channels to previous known bookmarks.

Cause

This issue is due to read events access was not granted for security channel logs for Event Log Readers group and Network Service account.

Resolution

Please follow the below steps to grant read events access to the security channel.
  1. Login to the Windows server. Run the below commands as Administrator from the command prompt. 
    winrm quickconfig
wevtutil gl security > securityevtorig.txt
  2. Open securityevtorig.txt file.
         Example Output: 
    name: security
enabled: true
type: Admin
owningPublisher:
isolation: security
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 16777216
publishing:
  fileMax: 1
  3. Copy the channel access value and replace existing-SDDL-string to grant read access to the Event Log Readers group. 
    wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-32-573)
          Example: 
    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
  4. Repeat the same process to grant read access to the Network Service account. 
    wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;s-1-5-20)
          Example: 
    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;s-1-5-20)
  5. After the above steps, login to NetWitness GUI and restart the Windows collection in the Log Collector's System page.
  6. Verify that the bookmark errors are no longer being seen under /var/log/messages and logs are visible in the Investigation page.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-02-10 01:19 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.