|Applies To||RSA Security Analytics|
RSA Security Analytics Log Collector
|Issue||Error message "Unable to pull events from Windows event source host_kerberos_realm: 401/Unauthorized" on an RSA Security Analytics Log Collector.|
The /var/log/messages file reports errors similar to the following:
In order to resolve the issue, follow the steps below.
1. Review the Kerberos Ticket Granting Tickets (TGT) on the Log Collector.
The klist command generates log messages on the status of the TGT and service tickets for each of the Kerberos Realms,
Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktvl5iTI
Valid starting Expires Service principal
Where the Kerberos tickets exist there should be displayed an entry for all Hosts in all Realms.
When Kerberos Ticket Granting Tickets (TGT) is successful the /var/netwitness/logcollector/runtime/krb5_ccache_dir directory should contain the file, primary, and a tktaaaaaa (where aaaaaa is alphanumeric characters) for each Realm.
The file primary will contain the name of the tktaaaaaa file which is the Primary Realm.
2. Run the kinit command to test the login with the Ticket Granting Tickets (TGT), to the KDC Server.
Enter the known password for the login name, and confirm the Kerberos authentication is successful.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.
|Legacy Article ID||a67089|