000012983 - WinRM Event Source does not map to a Kerberos Realm in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Oct 11, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000012983
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Security Analytics Log Collector
RSA Version/Condition: 10.x,11.x
Platform: CentOS
O/S Version: EL6/EL7 
IssueWinRM Event Source does not map to a Kerberos Realm in RSA Security Analytics.

WinRM collection might not work with the following errors on Log Collector logs:

May  8 12:14:29 xxxxxxxx nw[5906]: [WindowsCollection] [failure] [eventsourcename.example_com] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source eventsourcename.example.com: 401/Unauthorized.Possible causes:- Event source (eventsourcename.example.com) does not map to a Kerberos Realm.


To resolve the issue, follow the steps below.

  1. In the Log Collector, open the /etc/krb5.conf.
  2. Add rdns=false under [libdefaults].
  3. Save the file.
  4. In the Security Analytics user interface configure the Event Source using the FQDN, not the IP address.
  5. Restart the Windows collection from the Security Analytics user interface under Logcollector View System > Collections >Windows.
NotesIf rdns is set to false, it prevents the use of reverse DNS resolution when translating hostnames into service principal names.  The default is set to true.  Setting this flag to false is more secure, but forces users to exclusively use fully qualified domain names when authenticating to services.
Legacy Article IDa65532