Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000013416 - Error message 'Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized' on an RSA Security Analytics Log Collector

Document created by RSA Customer Support

on Jun 14, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000013416
Applies To	RSA Security Analytics RSA Security Analytics Log Collector Microsoft WinRM
Issue	Error message "Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized" on an RSA Security Analytics Log Collector. The /var/log/messages file reports errors similar to the following: [domain.host_kerberos_realm] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized. Possible causes: - Event source (host.kerberos.realm) does not map to a Kerberos Realm.
Resolution	In order to resolve the issue, follow the steps below. 1. Review the Kerberos Ticket Granting Tickets (TGT) on the Log Collector. The klist command generates log messages on the status of the TGT and service tickets for each of the Kerberos Realms, export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir klist -A Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktvl5iTI Default principal: {login_name}@{domain_name} Valid starting Expires Service principal 05/30/13 22:43:36 05/31/13 02:43:36 krbtgt/{login_name}@{domain_name} renew until 05/31/13 02:43:36 Where the Kerberos tickets exist there should be displayed an entry for all Hosts in all Realms. Confirm the tickets are not expired. When Kerberos Ticket Granting Tickets (TGT) is successful the /var/netwitness/logcollector/runtime/krb5_ccache_dir directory should contain the file, primary, and a tktaaaaaa (where aaaaaa is alphanumeric characters) for each Realm. The file primary will contain the name of the tktaaaaaa file which is the Primary Realm. The tktaaaaaa binary file(s) contains ticket details for each host in the Realm. To determine the Realm of the tktaaaaaa binary file(s), run the command, strings tktaaaaaa 2. Run the kinit command to test the login with the Ticket Granting Tickets (TGT), to the KDC Server. export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir kinit -V {login_name}@{KDC_REALM} Using new cache: :/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt9L3aAR Using principal: {login_name}@{KDC_REALM} Password for {login_name}@{KDC_REALM}: Authenticated to Kerberos v5 Where {login_name} is the login used by SA to access the Windows server. {KDC_REALM} is configured in Kerberos configuration file, /etc/krb5.conf in uppercase characters. Enter the known password for the login name, and confirm the Kerberos authentication is successful. If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
Legacy Article ID	a67089

Attachments

Outcomes

0 Comments