000038047 - Windows logs are not coming to RSA NetWitness Platform due to "bookmark as 1" errors

Document created by RSA Customer Support Employee on Nov 4, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038047
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition:
Platform: CentOS
O/S Version: 7
IssueWindows event source configured as per WinRM configuration guide and Test connection success. However, logs are not coming to NetWitness due to below errors in Collector.


Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] Bookmarks received: Application=204,Security=1,System=108
Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] [processing] [WorkUnit] [processing] Remote event source [windowshost] has returned bookmark as '1' for one or more channels which maye be an error.Discarding pulled events and reverting bookmarks for all channels to previous known bookmarks.
CauseThis issue is due to read events access was not granted for security channel logs for Event Log Readers group and Network Service account.
ResolutionPlease follow the below steps to grant read events access to the security channel.
  1. Login to the Windows server. Run the below commands as Administrator from the command prompt.

    winrm quickconfig
    wevtutil gl security > securityevtorig.txt

  2. Open securityevtorig.txt file.
         Example Output:

    name: security
    enabled: true
    type: Admin
    isolation: security
    channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)
      logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
      retention: false
      autoBackup: false
      maxSize: 16777216
      fileMax: 1

  3. Copy the channel access value and replace existing-SDDL-string to grant read access to the Event Log Readers group.

    wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-32-573)


    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

  4. Repeat the same process to grant read access to the Network Service account.

    wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;s-1-5-20)


    wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;s-1-5-20)

  5. After the above steps, login to NetWitness GUI and restart the Windows collection in the Log Collector's System page.
  6. Verify that the bookmark errors are no longer being seen under /var/log/messages and logs are visible in the Investigation page.