|Applies To||RSA Security Analytics|
|Issue||RSA Security Analytics WinRM error: "Unable to subscribe for events with Windows event source [ip address]: 401/Unauthorized"|
When attempting to add a Microsoft Windows domain controller event source with WinRM, a similar error is observed in the log collector log, where 192.168.131.199 is the IP address of a Microsoft Windows domain controller:
Unable to subscribe for events with Windows event source 192.168.131.199: 401/Unauthorized.
In the sample error above, the event source IP address 192.168.131.199 is not resolvable in DNS. This can be verified by using the following command: nslookup 192.168.131.199
If the correct FQDN is not returned, the IP address will not resolvable. This error can also occur when the FQDN does not map to a Kerberos Realm.
|Resolution||In use cases that leverage WinRM on domain controller event sources, the event source address must be the FQDN. It cannot be an IP address.|
|Notes||The FQDN (Fully Qualified Domain Name) is a DNS name that uniquely identifies the computer on the network. An FQDN is a concatenation of the host name and the primary DNS suffix, and is delimited with periods. An example of an FQDN is mydomain.com.|
|Legacy Article ID||a65455|