WinRM Event Source does not map to a Kerberos Realm in RSA Security Analytics

Issue

WinRM Event Source does not map to a Kerberos Realm in RSA Security Analytics.

WinRM collection might not work with the following errors on Log Collector logs:

May  8 12:14:29 xxxxxxxx nw[5906]: [WindowsCollection] [failure] [eventsourcename.example_com] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source eventsourcename.example.com: 401/Unauthorized.Possible causes:- Event source (eventsourcename.example.com) does not map to a Kerberos Realm.

Resolution

To resolve the issue, follow the steps below.

1. In the Log Collector, open the /etc/krb5.conf.
2. Add rdns=false under [libdefaults].
3. Save the file.
4. In the Security Analytics user interface configure the Event Source using the FQDN, not the IP address.
5. Restart the Windows collection from the Security Analytics user interface under Logcollector View System > Collections >Windows.

Notes

If rdns is set to false, it prevents the use of reverse DNS resolution when translating hostnames into service principal names.  The default is set to true.  Setting this flag to false is more secure, but forces users to exclusively use fully qualified domain names when authenticating to services.

Internal Comments

UserName:melim
6/25/2014 6:14:03 PM - Work in progress
work in progress on this. Need to find some time to collec the info and replicate it

UserName:shurtj
8/7/2014 5:50:24 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Log Collector
RSA Version/Condition: 10.x,11.x
Platform: CentOS
O/S Version: EL6/EL7 

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue