000031285 - Winrm Log Collection: Can I use multiple accounts for the same domain when collecting logs via winrm?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000031285
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.X
 
IssueA customer wants to define winrm logcollection with two accounts. For example userA@DOMAIN to collect logs for Server A and userB@DOMAIN for Server B.
Initally Log Collection may work, but will eventually break when the kerberos ticket for the other user is renewed.
The following will be seen in the logs
 
[root@REMOTELOGCOL ~]# tail -f /var/log/messages |grep -i kerberos
Sep 18 07:56:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL
Sep 18 07:57:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL
Sep 18 07:58:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [info] Fetched Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh03_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh03.waugh.local: 401/Unauthorized.Possible causes:- Event source (dwaugh03.waugh.local) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh05_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh05.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh05.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh10_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH10.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH10.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh14_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH14.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH14.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh21_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh21.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh21.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh23_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH23.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH23.WAUGH.LOCAL) does not map to a Kerberos Realm.
[root@REMOTELOGCOL ~]# klist -A
Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktI9UDv4
Default principal: RSALOGCOLLECTOR@WAUGH.LOCAL
Valid starting     Expires            Service principal
09/18/15 07:58:00  09/18/15 17:57:53  krbtgt/WAUGH.LOCAL@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh03.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh05.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh10.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh14.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh21.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh23.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/ecat.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:03  09/18/15 17:57:53  HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:03  09/18/15 17:57:53  HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt0j1onp
Default principal: winrm@WAUGH.LOCAL
Valid starting     Expires            Service principal
09/18/15 07:53:00  09/18/15 17:52:52  krbtgt/WAUGH.LOCAL@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:52:53  09/18/15 17:52:52  HTTP/dwaugh05.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:52:53  09/18/15 17:52:52  HTTP/dwaugh10.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:52:53  09/18/15 17:52:52  HTTP/dwaugh03.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:04  09/18/15 17:52:52  HTTP/dwaugh14.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:04  09/18/15 17:52:52  HTTP/dwaugh21.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:05  09/18/15 17:52:52  HTTP/dwaugh23.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:05  09/18/15 17:52:52  HTTP/ecat.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:11  09/18/15 17:52:52  HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00

 
CauseIt is not possible to collect logs using multiple accounts in the same domain on one logcollector. The reason for this can be found here
http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#twoprincs
In most Kerberos implementations, there can only be a single principal per credential cache (or ticket file). You can however choose which cache to use by setting the KRB5CCNAME (in V5) andKRBTKFILE (in V4) environment variable.
As a single Kerberos Ticket file is used in the logcollector located at 
 
export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir

then multiple users in the same domain are not possible.
ResolutionUse only one account per logcollector.
WorkaroundIf you absolutely must use different accounts for different servers, then the servers with different accounts will need to be distributed across different logcollectors. As this is across the same domain then it is not clear what the use case actually is for using multiple accounts for log collection in a single domain.
NotesAll machine names and IP Addresses are taken from an internal test environment.

Attachments

    Outcomes