This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WinRM collection stops working after upgrade to RSA NetWitness Platform 11.7.1

Article Number

000002083

Applies To

RSA Product Set: NetWitness Platform
RSA Product/Service Type: Log Collector
RSA Version/Condition: 11.7.1.0
Platform: CentOS
O/S Version: EL7

Issue

Post upgrading the NwLogCollector service to RSA NetWitness Platform 11.7.1.0, Windows Log Collection using WinRM stops working and gives the below errors related to NwLogCollector in /var/log/messages. 
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] Error pulling events. Response code = 401/Unknown"
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source <eventsourcename>: 401/Unauthorized.
Possible causes:
- Event source (eventsourcename) does not map to a Kerberos Realm."
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] [processing] [WorkUnit] [processing failure]  windows:WrkUnit[2] Processing failed."

Also, when testing the connection to the configured WinRM Windows event sources, it fails giving the below error. 
Error! 401/Unauthorized.
Possible causes:
- Event source (eventsourcename.domainname.com) does not map to a Kerberos Realm.

Cause

The cause of the issue is because of building the libcurl library without "--with-gssapi" flag, which is being used by the Windows collection.

Resolution

In order to resolve the issue, please download the following Hotfix RPM https://sftp.rsa.com/human.aspx?Username=support&password=Password1&arg01=867812984&arg12=downloaddirect&transaction=signon&quiet=true and then, follow the below instructions.

1. Upload the Hotfix RPM to the node on which NwLogCollector Service is running.
2. SSH to the node on which NwLogCollector Service is running and login as root.
3. Run the below command in order to make a note of the existing installed version of the NwLogCollector Service. 
rpm -qa | grep "nw-logcollector"
4. Stop the NwLogCollector Service by executing the below command. 
systemctl stop nwlogcollector
5. Backup the current /usr/sbin/NwLogCollector file.
6. Install the Hotfix RPM by executing the below command. 
rpm -Uvh rsa-nw-logcollector-11.7.1.0-15010.5.8c3052f26.el7.x86_64.rpm
7. Start the Log Collector service by executing the below command. 
systemctl start nwlogcollector

Notes

This defect intended to be fixed in RSA NetWitness Platform 11.7.1.1
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-11-21 02:47 PM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.