|Applies To||RSA Security Analytics|
RSA Security Analytics Log Collector
|Issue||Error message "WinRM collection:Failed to refresh Kerberos TGT" displayed in RSA Security Analytics.|
Event collection fails for few event sources from the same Kerberos realm.
Error messages similar to the following are dispalyed:
An error message similar to the following is displayed:
Command line 'curl' test returns successful results.
This issue is caused because the Event Source credentials are correct.
Once a subscription has been created, the Windows event source returns an "Enumeration Context" in each pull request. It must be returned to the event source in the next pull request. If that is invalid, the above error may be generated and collection cannot be continued within the current subscription. This can happen if the Windows event source has been rebooted or the WinRM service restarted. The Windows collection, however, automatically handles this error. It cancels an existing subscription, if any, and resubscribes from the last saved bookmarks. Sometimes, this error is triggered by Windows collection itself. For example, if Windows collection is stopped while processing pulled events, it is forced to cancel the existing subscription so it can resume collection correctly. It forces a resubscription by clearing the saved enumeration context. If the system doesn't handle the resubscription automatically, you may follow the steps below to force a re-subscription:
In order to resolve the issue, follow the steps below.
1. Within Log Collector service's System section. Stop the Windows Collection.
|Legacy Article ID||a65022|