000016985 - Error message 'WinRM collection: Failed to refresh Kerberos TGT' is displayed in RSA Security Analytics / NetWitness Platform

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016985
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Log Collector (WinRM Collection)
RSA Version/Condition: 10.x, 11.x
Platform: CentOS
O/S Version: EL6, EL7
IssueError message "WinRM collection:Failed to refresh Kerberos TGT" is displayed in RSA Security Analytics / NetWitness Logs & Network.
Event collection fails for a few event sources from the same Kerberos realm.

Error messages similar to the following are displayed:

"2014-04-10T08:42:43","INFO","WindowsCollection","","windows, windows started."
"2014-04-10T08:42:43","INFO","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Starting work"
"2014-04-10T08:42:43","INFO","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Enumerating SID information"
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] Error enumerating for account SIDs. Response code = 401/Unknown"
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Error enumerating for SID information: 401/Unauthorized."
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] Error subscribing. Response code = 401/Unknown"


An error message similar to the following is displayed:

2014-Mar-06 13:20:22 [WindowsCollection] [LAB.xx_xx_xx_xx] [processing] [LAB.xx_xx_xx_xx] Unable to pull events from Windows event source xx.xx.xx.xx: Fault Code : s:Receiver Subcode : n:InvalidEnumerationContext Reason : The WS-Enumeration context in the enumeration is not valid. Enumeration may have been completed or cancelled. You cannot use this enumeration context anymore. Start a new enumeration...

Command-line 'curl' test returns successful results.

This issue is caused by incorrect Event Source credentials.

Once a subscription has been created, the Windows event source returns an "Enumeration Context" in each pull request. It must be returned to the event source in the next pull request.
If that is invalid, the above error may be generated and collection cannot be continued within the current subscription. This can happen if the Windows event source has been rebooted or the WinRM service restarted. The Windows collection, however, automatically handles this error. It cancels an existing subscription, if any, and re-subscribes from the last saved bookmarks. Sometimes, this error is triggered by the Windows collection itself. For example, if Windows collection is stopped while processing pulled events, it is forced to cancel the existing subscription so it can resume collection correctly. It forces a re-subscription by clearing the saved enumeration context. If the system doesn't handle the re-subscription automatically, you may follow the steps below to force a re-subscription:


In order to resolve the issue, follow the steps below.

  1. Within Log Collector service's System section. Stop the Windows Collection.
  2. SSH to the Log Collector and cd /var/netwitness/logcollector/runtime/windows/eventsources
  3. You should see <alias>.<eventsourceaddress>.xml for the specific IP.
  4. In that file, there is an entry for enumeration context and subscription ID each. Clear both and save the file. Repeat this for the IPs having this issue respectively.



  5. Restart Windows Collection in the Log Collector service.

Legacy Article IDa65022