000017422 - RSA Security Analytics WinRM error: 'Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017422
Applies ToRSA Security Analytics
Microsoft WinRM
IssueRSA Security Analytics WinRM error: "Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized"

When attempting to add a Microsoft Windows domain controller event source with WinRM, a similar error is observed in the log collector log, where 192.168.131.199 is the IP address of a Microsoft Windows domain controller:


         Unable to subscribe for events with Windows event source 192.168.131.199: 401/Unauthorized.

Cause

In the sample error above, the event source IP address 192.168.131.199 is not resolvable in DNS.  This can be verified by using the following command:  nslookup 192.168.131.199


If the correct FQDN is not returned, the IP address will not resolvable.  This error can also occur when the FQDN does not map to a Kerberos Realm.

ResolutionIn use cases that leverage WinRM on domain controller event sources, the event source address must be the FQDN.  It cannot be an IP address.
NotesThe FQDN (Fully Qualified Domain Name) is a DNS name that uniquely identifies the computer on the network. An FQDN is a concatenation of the host name and the primary DNS suffix, and is delimited with periods. An example of an FQDN is mydomain.com.
Legacy Article IDa65455

Attachments

    Outcomes