Article Number | 000031285 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Security Analytics Server RSA Version/Condition: 10.X |
Issue | A customer wants to define winrm logcollection with two accounts. For example userA@DOMAIN to collect logs for Server A and userB@DOMAIN for Server B. Initally Log Collection may work, but will eventually break when the kerberos ticket for the other user is renewed. The following will be seen in the logs
[root@REMOTELOGCOL ~]# tail -f /var/log/messages |grep -i kerberos Sep 18 07:56:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL Sep 18 07:57:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL Sep 18 07:58:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [info] Fetched Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh03_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh03.waugh.local: 401/Unauthorized.Possible causes:- Event source (dwaugh03.waugh.local) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh05_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh05.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh05.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh10_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH10.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH10.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh14_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH14.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH14.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh21_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh21.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh21.WAUGH.LOCAL) does not map to a Kerberos Realm. Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh23_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH23.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH23.WAUGH.LOCAL) does not map to a Kerberos Realm. [root@REMOTELOGCOL ~]# klist -A Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktI9UDv4 Default principal: RSALOGCOLLECTOR@WAUGH.LOCAL Valid starting Expires Service principal 09/18/15 07:58:00 09/18/15 17:57:53 krbtgt/WAUGH.LOCAL@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh03.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh05.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh10.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh14.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh21.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/dwaugh23.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:02 09/18/15 17:57:53 HTTP/ecat.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:03 09/18/15 17:57:53 HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 09/18/15 07:58:03 09/18/15 17:57:53 HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:58:00 Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt0j1onp Default principal: winrm@WAUGH.LOCAL Valid starting Expires Service principal 09/18/15 07:53:00 09/18/15 17:52:52 krbtgt/WAUGH.LOCAL@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:52:53 09/18/15 17:52:52 HTTP/dwaugh05.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:52:53 09/18/15 17:52:52 HTTP/dwaugh10.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:52:53 09/18/15 17:52:52 HTTP/dwaugh03.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:04 09/18/15 17:52:52 HTTP/dwaugh14.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:04 09/18/15 17:52:52 HTTP/dwaugh21.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:05 09/18/15 17:52:52 HTTP/dwaugh23.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:05 09/18/15 17:52:52 HTTP/ecat.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 09/18/15 07:53:11 09/18/15 17:52:52 HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL renew until 09/18/15 17:53:00 |
Cause | It is not possible to collect logs using multiple accounts in the same domain on one logcollector. The reason for this can be found here http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#twoprincs In most Kerberos implementations, there can only be a single principal per credential cache (or ticket file). You can however choose which cache to use by setting the KRB5CCNAME (in V5) andKRBTKFILE (in V4) environment variable. As a single Kerberos Ticket file is used in the logcollector located at
export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir then multiple users in the same domain are not possible. |
Resolution | Use only one account per logcollector. |
Workaround | If you absolutely must use different accounts for different servers, then the servers with different accounts will need to be distributed across different logcollectors. As this is across the same domain then it is not clear what the use case actually is for using multiple accounts for log collection in a single domain. |
Notes | All machine names and IP Addresses are taken from an internal test environment. |