.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Windows logs are not coming to RSA NetWitness Platform due to bookmark as 1 errors
Issue
Windows event source configured as per WinRM configuration guide and Test connection success. However, logs are not coming to NetWitness due to below errors in Collector./var/log/messages:
Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] Bookmarks received: Application=204,Security=1,System=108
Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] [processing] [WorkUnit] [processing] Remote event source [windowshost] has returned bookmark as '1' for one or more channels which maye be an error.Discarding pulled events and reverting bookmarks for all channels to previous known bookmarks.
Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] [processing] [WorkUnit] [processing] Remote event source [windowshost] has returned bookmark as '1' for one or more channels which maye be an error.Discarding pulled events and reverting bookmarks for all channels to previous known bookmarks.
Cause
This issue is due to read events access was not granted for security channel logs for Event Log Readers group and Network Service account.Resolution
Please follow the below steps to grant read events access to the security channel.- Login to the Windows server. Run the below commands as Administrator from the command prompt.
winrm quickconfig
wevtutil gl security > securityevtorig.txt - Open securityevtorig.txt file.
Example Output:name: security
enabled: true
type: Admin
owningPublisher:
isolation: security
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)
logging:
logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
retention: false
autoBackup: false
maxSize: 16777216
publishing:
fileMax: 1 - Copy the channel access value and replace existing-SDDL-string to grant read access to the Event Log Readers group.
wevtutil sl security /ca: existing-SDDL-string(A;;0x1;;;S-1-5-32-573)Example:wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33) (A;;0x1;;;S-1-5-32-573)
- Repeat the same process to grant read access to the Network Service account.
wevtutil sl security /ca: existing-SDDL-string(A;;0x1;;;s-1-5-20)Example:wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33) (A;;0x1;;;s-1-5-20)
- After the above steps, login to NetWitness GUI and restart the Windows collection in the Log Collector's System page.
- Verify that the bookmark errors are no longer being seen under /var/log/messages and logs are visible in the Investigation page.
Product Details
Netwitness Product Set: NetWitness PlatformNetwitness Product/Service Type: Windows Server, Log Collector
Netwitness Version/Condition: 11.x, 12.x or later
Platform: CentOS/Alma Linux
Summary
This document outlines the procedure to fix bookmark as '1' errors for windows channels to get logs into NetWitness.
Approval Reviewer Queue
Technical approval queue