000039241 - RSA NetWitness Endpoint Agent fails to collect Windows logs

Document created by RSA Customer Support Employee on Sep 11, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039241
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Endpoint Advanced Agent
RSA Version/Condition: 11.3.x, 11.4.x
Platform: CentOS
O/S Version: 7
Product Description: Windows Event Log Collection
IssueThe installed NetWitness Endpoint Agent Windows policy isn't collecting any Windows event logs.

The AgentTest event returns the error message "Error 15001 occurred while starting event monitoring."

User-added image
CauseMicrosoft describes Error 15001 as an invalid channel query.

The configured Endpoint Windows policy channel filter has an error or is not configured.

Reference: Microsoft System Error Codes (12000-15999)
  1. In NetWitness UI, Admin > Endpoint Sources, Policies tab
    Click on the problem policy for the Windows Event Logs collection.
    Look to the right at the displayed Channel Filter Settings and try determine if there is an error, or if it is not configured.

    The below example shows on the right there is no Windows channel included in the configuration of the "Windows" policy name, which will cause the observed error.

    User-added image
  2. Edit the Endpoint policy for Windows Event Logs in NW UI, Admin > Endpoint Sources, Policies tab
    Make sure the "Channel Filters" option is included in the policy, and that at least one channel has been selected.
    Publish Policy.

    The below example shows on the right the "System" channel has been added to the Windows policy.

    User-added image