000017436 - Windows Legacy Collector cannot connect to Windows event sources in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017436
Applies ToRSA Security Analytics
RSA Security Analytics Windows Legacy Collector
IssueWindows Legacy Collector cannot connect to Windows event sources in RSA Security Analytics.
Errors similar to the following are found in the Windows Legacy Collector logs:  Could not connect to server '\\<IP>\ROOT\CIMV2': error code: 80070005: Access is denied.
CauseThis issue is caused because the log collector is unable to connect to the remote machine using WMI. These systems may be fine in RSA enVision as it used remote registry access for the similar tasks, whereas WMI usage is new for the Security Analytics Windows Legacy Collector. These errors are likely because of permissions or policy.

Verify the account permissions on the Windows event source allow WMI Calls.  WMI access to a remote machine can be tested from the command line using the wmic command. One command we run over WMI is to get the operating system name. To replicate that from the command line you can run the following command:

C:\> wmic
Wmic:root\cli> /node:?IP? /user:?USER? os get caption

You will need to replace IP with the address of the machine you want to connect to and USER with the username you are connecting as (the same user the log collector is configured with).


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa65143