000016985 - Error message 'WinRM collection:Failed to refresh Kerberos TGT' displayed in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016985
Applies ToRSA Security Analytics
RSA Security Analytics Log Collector
Microsoft WinRM
IssueError message "WinRM collection:Failed to refresh Kerberos TGT" displayed in RSA Security Analytics.
Event collection fails for few event sources from the same Kerberos realm.

Error messages similar to the following are dispalyed:

"2014-04-10T08:42:43","INFO","WindowsCollection","","windows, windows started."
"2014-04-10T08:42:43","INFO","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Starting work"
"2014-04-10T08:42:43","INFO","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Enumerating SID information"
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] Error enumerating for account SIDs. Response code = 401/Unknown"
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Error enumerating for SID information: 401/Unauthorized."
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] Error subscribing. Response code = 401/Unknown"


An error message similar to the following is displayed:

2014-Mar-06 13:20:22 [WindowsCollection] [LAB.xx_xx_xx_xx] [processing] [LAB.xx_xx_xx_xx] Unable to pull events from Windows event source xx.xx.xx.xx: Fault Code : s:Receiver Subcode : n:InvalidEnumerationContext Reason : The WS-Enumeration context in the enumeration is not valid. Enumeration may have been completed or cancelled. You cannot use this enumeration context anymore. Start a new enumeration...

Command line 'curl' test returns successful results.

This issue is caused because the Event Source credentials are correct.

Once a subscription has been created, the Windows event source returns an "Enumeration Context" in each pull request. It must be returned to the event source in the next pull request. If that is invalid, the above error may be generated and collection cannot be continued within the current subscription. This can happen if the Windows event source has been rebooted or the WinRM service restarted. The Windows collection, however, automatically handles this error. It cancels an existing subscription, if any, and resubscribes from the last saved bookmarks. Sometimes, this error is triggered by Windows collection itself. For example, if Windows collection is stopped while processing pulled events, it is forced to cancel the existing subscription so it can resume collection correctly. It forces a resubscription by clearing the saved enumeration context. If the system doesn't handle the resubscription automatically, you may follow the steps below to force a re-subscription:


In order to resolve the issue, follow the steps below.

1. Within Log Collector service's System section. Stop the Windows Collection.
2. SSH to log collector and cd /var/netwitness/logcollector/runtime/windows/eventsources
3. You should see <alias>.<eventsourceaddress>.xml for the specific IP
4. In that file, there is an entry for enumeration context and subscription id. Clear that context and save the file. Repeat this for the IPs having issue respectively.

5. Restart Windows Collection in the Log Collector service.

Legacy Article IDa65022