Skip to content
  • There are no suggestions because the search field is empty.

How to use the WinRM Tool to troubleshoot Windows collection issues in RSA NetWitness Logs & Packets

Resolution

WinRMDiagnostics is a standalone tool that helps to configure or fix Windows event sources for Windows Log Collection.
The tool can be invoked either in command line or UI mode, and supports Windows OS 2008 and above.

The tool can be invoked either in command line mode or User Interface (UI) mode. By default, the tool runs in UI mode.
To run the tool in command line mode, the -noui switch should be used. 

Tool run modes
  • Verify: Checks whether WinRM is configured on windows event source by executing pre-selected set of commands.(Default Mode)
  • Auto: Checks whether WinRM is configured on windows event source by executing pre-selected set of commands. If WinRM is not configured correctly, then the tool will try to fix the issue.
  • Manual: Allows user to specify a set of commands to execute.
 

Command-Line Mode

Below is the tool usage and parameters for running tool in command line mode.
 
WinRMDiagnostics –noui -mode [tool mode] –username [user id] -transport [transport mode] –port [port] -servicename [service name] -hostname [host fqdn] –usebasic [basic authentication for winrm] –zip [zip flag] –resultdir [result dir name]

Where:

Note: If ‘Verify’ or ‘Auto’ mode is chosen, then no command list should be specified.

 
  • Column 1: Command Name
  • Column 2: Description
  • Column 3: Mode

  • Column 1:
  • Column 2:
  • Column 3: Verify
  • Column 4: Auto
  • Column 5: Manual

  • Column 1: FirewallSrvStatus
  • Column 2: Check state of Windows Firewall service
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: WinRMSrvStatus
  • Column 2: Check state of WinRM service
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: WinRMVersion
  • Column 2: Get WinRM version
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: WinRMListenerConfig
  • Column 2: Get WinRM Listener configuration
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: WinRMOnDefaultPort
  • Column 2: Check whether WinRM Listener is running on default port
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: AllowUnencryptGet
  • Column 2: Check whether AllowUnencrypted property is set
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: EventLogPermGet
  • Column 2: Check whether Event Log permissions are set correctly
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: EventReadersGrpGet
  • Column 2: Check whether user account is part of Event Log Readers Local User Group
    Input: User Account Credentials (username)
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: SecLogChReadAccStatus
  • Column 2: Verify whether SDDL string for Windows Log channel is configured for reading access to the Security Log channel
  • Column 3:
    •  
  • Column 4:
  • Column 5:
    •  

  • Column 1: AllowUnencryptSet
  • Column 2: Set AllowUnencrypted property to 'true'
  • Column 3:
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: EventLogPermSet
  • Column 2: Set Event Log permissions for Event Log Readers group
  • Column 3:
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: SecLogChReadAccAdd
  • Column 2: Grant read access to the Security Log channel by modifying SDDL string for Windows Log channel
  • Column 3:
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: WinRMQuickConfig
  • Column 2: Run WinRM Quick config command
    Input - Transport (Default = HTTP), Use Basic Authentication (Default = False)
  • Column 3:
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: EventReadersGrpAdd
  • Column 2: Add user account to Event Log Readers Local User Group
    Input: User Account Credentials (username)
  • Column 3:
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: WinRMListenerCreate
  • Column 2: Create WinRM Listener
    Input - Transport (Default = HTTP), Port (Default = 5985)
  • Column 3:
  • Column 4:
  • Column 5:
    •  

  • Column 1: WinRMListenerDelete
  • Column 2: Delete WinRM Listener   
    Input - Transport (Default = HTTP)
  • Column 3:
  • Column 4:
  • Column 5:
    •  

  • Column 1: WinRMListenerPortSet
  • Column 2: Set WinRM Listener port
    Input - Transport (Default = HTTP), Port (Default = 5985)
  • Column 3:
  • Column 4:
  • Column 5:
    •  

  • Column 1: EventReadersGrpRem
  • Column 2: Remove user account from Event Log Readers Local User Group
    Input: User Account Credentials (username)
  • Column 3:
  • Column 4:
  • Column 5:
    •  

  • Column 1: ServiceStart
  • Column 2: Start given service
    Input - Service Name
  • Column 3:
  • Column 4:
  • Column 5:
    •  

  • Column 1: ServiceStop
  • Column 2: Stop given service
    Input - Service Name
  • Column 3:
  • Column 4:
  • Column 5:
    •  

  • Column 1: SystemTime
  • Column 2: Get system time on local computer
  • Column 3:
    •  
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: OSName
  • Column 2: Get host operating system name
  • Column 3:
    •  
  • Column 4:
    •  
  • Column 5:
    •  

  • Column 1: HostIPByDns
  • Column 2: Get Host IP Address from DNS Hostname
    Input - Host name or Host FQDN
  • Column 3:
    •  
  • Column 4:
    •  
  • Column 5:
    •  


Sample Usage
WinRMDiagnostics -noui -mode verify  (Run 'verify' mode commands)
WinRMDiagnostics -noui -mode auto    (Run 'auto' mode commands)
WinRMDiagnostics -noui    (Run specified commands)
WinRMDiagnostics -ver                (Tool version)
WinRMDiagnostics -help            (Displays Tool usage)
 

User Interface Mode

General Tab:
  • Provides options for configuration and execution of the tool.

Run Mode:
  • Verify & Autorun mode runs a pre-selected set of commands (Ones that are not grayed out).
  • Commands need to be selected for Manual run mode only.
  • Command information is displayed in the Steps Description pane when the command name is clicked.
  • Specify tool parameters only for the selected commands.
  • To run the tool click on the Run button.

Results Tab:
  • Displays tool results in XML format. Tool results are saved here:  ~\ WinRMToolResults\ _wrm_
  • Optional: Select Zip Results option to zip up the results directory. Specify Result Dir Name option to create result directory with a non-default name. eg. ~\ WinRMToolResults\rsasa-123

Results (Tabular) Tab:
  • Displays tool results in tabular format.

Notes

The WinRM Diagnostics tool and guide have been updated as of 2018/03/07. If you have downloaded this tool and guide before that time, please download them again using the links below. If this is the first time downloading these items, please use the same links below.

WinRM Diagnostics Tool:   https://community.rsa.com/docs/DOC-58018
WinRM Configuration Guide:  https://community.rsa.com/docs/DOC-58163

Product Details

RSA Product Set: RSA Netwitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5.x,10.6.x, 11.x
Platform: CentOS
O/S Version: EL6 / EL7

Approval Reviewer Queue

KCS Approval queue