on Jun 14, 2016Article Content
| Article Number | 000017436 |
| Applies To | RSA Security Analytics RSA Security Analytics Windows Legacy Collector |
| Issue | Windows Legacy Collector cannot connect to Windows event sources in RSA Security Analytics. Errors similar to the following are found in the Windows Legacy Collector logs: Could not connect to server '\\<IP>\ROOT\CIMV2': error code: 80070005: Access is denied. |
| Cause | This issue is caused because the log collector is unable to connect to the remote machine using WMI. These systems may be fine in RSA enVision as it used remote registry access for the similar tasks, whereas WMI usage is new for the Security Analytics Windows Legacy Collector. These errors are likely because of permissions or policy. |
| Resolution | Verify the account permissions on the Windows event source allow WMI Calls. WMI access to a remote machine can be tested from the command line using the wmic command. One command we run over WMI is to get the operating system name. To replicate that from the command line you can run the following command:
You will need to replace IP with the address of the machine you want to connect to and USER with the username you are connecting as (the same user the log collector is configured with).
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance. |
| Legacy Article ID | a65143 |