Skip to content
  • There are no suggestions because the search field is empty.

Windows event source is unable to subscribe for events in RSA NetWitness Platform because Access is denied

Issue

Unable to subscribe for events with Windows event source in RSA Security Analytics because "Access is denied".
The following error message is seen in the Log Collector logs:

Unable to subscribe for events with Windows event source EVENTSOURCENAME: Fault Code : s:Sender Subcode : w:AccessDenied Reason : Access is denied. Fault Detail : Access is denied.

Cause

The Windows user account used by NetWitness has insufficient privilege to read the event logs.


Resolution

  1. When configuring a Windows event source (using WinRM), make sure to add the USER, that NetWitness will use for the log collection, into the Local Event Log Reader group and not the Domain Event Log Reader group.

    It is also important to add the USER explicitly to the LOCAL EVENT LOG READER group.
     

  2. It has also been found that if the user is a member of another group with the correct permissions, and this other group was added to the LOCAL EVENT LOG READER group, then this error message would also occur.

Explicitly add the USER to the LOCAL EVENT LOG READER group.

Internal Comments

UserName:shurtj
5/8/2014 8:45:18 PM - Technically Reviewed
Minor modifications made to statements in order to adhere to Primus best practices. Standardized the formatting. Updated the title and added it as a Symptom statement for indexing purposes.

UserName:shurtj
8/7/2014 5:43:38 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x

Summary

Unable to subscribe for events with Windows event source in RSA Security Analytics because Access is denied.


Approval Reviewer Queue

RSA NetWitness Suite Approval Queue