Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000038047 - Windows logs are not coming to RSA NetWitness Platform due to "bookmark as 1" errors

Document created by RSA Customer Support

on Nov 4, 2019

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000038047
Applies To	RSA Product Set: NetWitness Platform RSA Product/Service Type: Core Appliance RSA Version/Condition: 11.3.1.0 Platform: CentOS O/S Version: 7
Issue	Windows event source configured as per WinRM configuration guide and Test connection success. However, logs are not coming to NetWitness due to below errors in Collector. /var/log/messages: Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] Bookmarks received: Application=204,Security=1,System=108 Sep 16 09:32:58 VLC NwLogCollector[15403]: [WindowsCollection] [failure] [windowshost] [processing] [WorkUnit] [processing] Remote event source [windowshost] has returned bookmark as '1' for one or more channels which maye be an error.Discarding pulled events and reverting bookmarks for all channels to previous known bookmarks.
Cause	This issue is due to read events access was not granted for security channel logs for Event Log Readers group and Network Service account.
Resolution	Please follow the below steps to grant read events access to the security channel. Login to the Windows server. Run the below commands as Administrator from the command prompt. winrm quickconfig wevtutil gl security > securityevtorig.txt Open securityevtorig.txt file. Example Output: name: security enabled: true type: Admin owningPublisher: isolation: security channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33) logging: logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx retention: false autoBackup: false maxSize: 16777216 publishing: fileMax: 1 Copy the channel access value and replace existing-SDDL-string to grant read access to the Event Log Readers group. wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;S-1-5-32-573) Example: wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) Repeat the same process to grant read access to the Network Service account. wevtutil sl security /ca:existing-SDDL-string(A;;0x1;;;s-1-5-20) Example: wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x3;;;BO)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x3;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;S-1-5-33)(A;;0x1;;;s-1-5-20) After the above steps, login to NetWitness GUI and restart the Windows collection in the Log Collector's System page. Verify that the bookmark errors are no longer being seen under /var/log/messages and logs are visible in the Investigation page.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Re: Collecting Sysmon logs via WinRM