000013416 - Error message 'Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized' on an RSA Security Analytics Log Collector

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013416
Applies ToRSA Security Analytics
RSA Security Analytics Log Collector
Microsoft WinRM
IssueError message "Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized" on an RSA Security Analytics Log Collector.

The /var/log/messages file reports errors similar to the following:

[domain.host_kerberos_realm] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized.
Possible causes:
- Event source (host.kerberos.realm) does not map to a Kerberos Realm.


In order to resolve the issue, follow the steps below.


1. Review the Kerberos Ticket Granting Tickets (TGT) on the Log Collector.

The klist command generates log messages on the status of the TGT and service tickets for each of the Kerberos Realms,

         export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir
         klist -A

Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktvl5iTI
Default principal: {login_name}@{domain_name}

Valid starting Expires Service principal
05/30/13 22:43:36 05/31/13 02:43:36 krbtgt/{login_name}@{domain_name}
   renew until 05/31/13 02:43:36

Where the Kerberos tickets exist there should be displayed an entry for all Hosts in all Realms.
Confirm the tickets are not expired.

When Kerberos Ticket Granting Tickets (TGT) is successful the /var/netwitness/logcollector/runtime/krb5_ccache_dir directory should contain the file, primary, and a tktaaaaaa (where aaaaaa is alphanumeric characters) for each Realm.

The file primary will contain the name of the tktaaaaaa file which is the Primary Realm.
The tktaaaaaa binary file(s) contains ticket details for each host in the Realm. To determine the Realm of the tktaaaaaa binary file(s), run the command,

strings tktaaaaaa

2. Run the kinit command to test the login with the Ticket Granting Tickets (TGT), to the KDC Server.

export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir
kinit -V {login_name}@{KDC_REALM}

Using new cache: :/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt9L3aAR
Using principal: {login_name}@{KDC_REALM}
Password for {login_name}@{KDC_REALM}:
Authenticated to Kerberos v5

{login_name} is the login used by SA to access the Windows server.
{KDC_REALM} is configured in Kerberos configuration file, /etc/krb5.conf in uppercase characters.

Enter the known password for the login name, and confirm the Kerberos authentication is successful.


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Legacy Article IDa67089