Skip to content
  • There are no suggestions because the search field is empty.

RSA NetWitness WinRM error: 'Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized'

Issue

RSA NetWitness WinRM error: "Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized"

When attempting to add a Microsoft Windows Domain Controller event source with WinRM, a similar error appears in the NetWitness Log Collector log, where in this example 192.168.1.199 is the IP address of a Microsoft Windows Domain Controller:

         Unable to subscribe for events with Windows event source 192.168.1.199: 401/Unauthorized.
 

Unable to subscribe for events with Windows event source 192.168.1.199: 401/Unauthorized.
Possible causes: - Event source (192.168.1.199) does not map to a Kerberos Realm.
Krb5CredCacheWrapper: Cannot contact any KDC for requested realm while getting initial credentials

Cause

In the example error above, the event source IP address 192.168.1.199 is not resolvable in DNS to a FQDN.
This can be verified by using the following command: nslookup 192.168.1.199

If the correct FQDN is not returned, then the IP address will not resolvable.
This error can also occur when the FQDN does not map to a Kerberos Realm.


Resolution

When configuring WinRM for a Windows Domain Controller event source, the FQDN should be used, not an IP address.

In the NetWitness UI, Admin > Services > {Log Collector} > Config, Event Sources tab
Select Windows in the dropdown
Delete the Windows Domain Controller entry under, Event Categories > Hosts, where the Event Source Address is an IP address
Add a new Windows Domain Controller entry, where the Event Source Address is the FQDN of the Windows Domain Controller server.

Ensure the NetWitness Log Collector appliance is able to resolve the configured FQDN to the correct IP address.

Notes

The FQDN (Fully Qualified Domain Name) is a DNS name that uniquely identifies the computer on the network.
An FQDN is a concatenation of the hostname and the primary DNS suffix, and is delimited with periods.
An example of an FQDN format is hostname.mydomain.com

Internal Comments

UserName:shurtj
5/8/2014 8:51:08 PM - Technically Reviewed
Made minor modifications to the statements to standardize the formatting and to adhere to Primus best practices.

UserName:shurtj
8/7/2014 5:42:41 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector, Microsoft WinRM
RSA Version/Condition: 10.6.x, 11.x

Summary

RSA NetWitness WinRM error: Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue