.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
WinRM collection stops working after upgrade to RSA NetWitness Platform 11.7.1
Issue
Post upgrading the NwLogCollector service to RSA NetWitness Platform 11.7.1.0, Windows Log Collection using WinRM stops working and gives the below errors related to NwLogCollector in /var/log/messages.
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] Error pulling events. Response code = 401/Unknown"
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source <eventsourcename>: 401/Unauthorized.
Possible causes:
- Event source (eventsourcename) does not map to a Kerberos Realm."
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] [processing] [WorkUnit] [processing failure] windows:WrkUnit[2] Processing failed."
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source <eventsourcename>: 401/Unauthorized.
Possible causes:
- Event source (eventsourcename) does not map to a Kerberos Realm."
"2022-04-20T15:06:27","ERROR","WindowsCollection","","[domainname.eventsourcename] [processing] [WorkUnit] [processing failure] windows:WrkUnit[2] Processing failed."
Also, when testing the connection to the configured WinRM Windows event sources, it fails giving the below error.
Error! 401/Unauthorized.
Possible causes:
- Event source (eventsourcename.domainname.com) does not map to a Kerberos Realm.
Possible causes:
- Event source (eventsourcename.domainname.com) does not map to a Kerberos Realm.
Cause
The cause of the issue is because of building the libcurl library without "--with-gssapi" flag, which is being used by the Windows collection.
Resolution
In order to resolve the issue, please download the following Hotfix RPM https://sftp.rsa.com/human.aspx?Username=support&password=Password1&arg01=867812984&arg12=downloaddirect&transaction=signon&quiet=true and then, follow the below instructions.1. Upload the Hotfix RPM to the node on which NwLogCollector Service is running.
2. SSH to the node on which NwLogCollector Service is running and login as root.
3. Run the below command in order to make a note of the existing installed version of the NwLogCollector Service.
rpm -qa | grep "nw-logcollector"
4. Stop the NwLogCollector Service by executing the below command.
systemctl stop nwlogcollector
5. Backup the current /usr/sbin/NwLogCollector file.
6. Install the Hotfix RPM by executing the below command.
rpm -Uvh rsa-nw-logcollector-11.7.1.0-15010.5.8c3052f26.el7.x86_64.rpm
7. Start the Log Collector service by executing the below command.
systemctl start nwlogcollector
Notes
This defect intended to be fixed in RSA NetWitness Platform 11.7.1.1
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Log Collector
RSA Version/Condition: 11.7.1.0
Platform: CentOS
O/S Version: EL7
Summary
After upgrading the Log Collector service to RSA NetWitness Platform 11.7.1, WinRM stops working and gives the following error (Event source (eventsourcename) does not map to a Kerberos Realm) due to a known Defect.
Approval Reviewer Queue
Technical approval queue