Skip to content
  • There are no suggestions because the search field is empty.

How to troubleshoot WinRM log collection on RSA Security Analytics Log Collectors

Issue

How to troubleshoot WinRM log collection on RSA Security Analytics log collectors.

Resolution

Testing WinRM from the Windows event source:

Show the current WinRM Config: winrm get winrm/config

Show the listener config: winrm e winrm/config/listener

Note* If nothing is returned from this command then listener is not configured (On Windows 2008 run winrm quickconfig to start listeners on default ports).
Expected return from above command:
Listener
        Address = *
        Transport = HTTP
        Port = 5985
        Hostname
        Enabled = true
        URLPrefix = wsman
        CertificateThumbprint
        ListeningOn = 127.0.0.1, 192.168.12.122, ::1, fe80::100:7f:fffe%11, fe80::5efe:192.168.12.122%13

Users can use the following curl command to confirm that the etc/krb5.conf file is configured correctly.

Create a file called getwinrmconfig.xml in the same directory you will be running the curl command from and that it contains the following information (Change the ?To? field to reflect your targets fqdn).


  
     http:// : /wsman
     http://schemas.microsoft.com/wbem/wsman/1/config/service
    
        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
    
     http://schemas.xmlsoap.org/ws/2004/09/transfer/Get
     153600
     uuid:29D85FB4-5125-4E41-BB6A-088ECEBBE749
    
    
     PT60.000S
  
  


Then run the command (making sure the hostname in the http request contains the fqdn of the target):

curl -v -k http:// :5985/wsman -d @getwinrmconfig.xml -u: -H "Content-Type: application/soap+xml;charset=UTF-8" --negotiate

Typical failures:

[root@NWAPPLIANCE808 test]# curl -v -k http:// :5985/wsman -d @getwinrmconfig.xml -u: -H "Content-Type: application/soap+xml;charset=UTF-8" --negotiate
* About to connect() to 192.168.1.1 port 5985 (#0)
* Trying 192.168.1.1... Connection refused
* couldn't connect to host
* Closing connection #0

Which means that the Listener port on the target is incorrect or Windows Remote Management service is not started.


Or  "2013-08-19T01:11:18","ERROR","WindowsCollection","","[WinDomain1.192_168_1_1] Error enumerating for account SIDs. Response code = 401/Unknown"

This in general means that there is either a credential issue with Kerberos or BASIC authentication (bad uid/pwd or account locked) or more typically Kerberos is configured and the krb5.conf is misconfigured.

Internal Comments

UserName:shurtj
8/11/2014 3:20:24 PM - Updated Article
Updated article and made changes to abide by Primus best practices. Changed audience to internal.


Product Details

RSA Security Analytics
RSA Security Analytics Log Collector
Microsoft WinRM
INTERNAL ONLY!!!