000017407 - Unable to subscribe for events with Windows event source in RSA Security Analytics because Access is denied

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017407
Applies ToRSA Security Analytics
RSA Security Analytics Log Collector
IssueUnable to subscribe for events with Windows event source in RSA Security Analytics because Access is denied.
The following error message is seen on the Log Collector:  Unable to subscribe for events with Windows event source EVENTSOURCENAME: Fault Code : s:Sender Subcode : w:AccessDenied Reason : Access is denied. Fault Detail : Access is denied.
Resolution

When configuring a Windows event source (using WinRM), make sure to add the user that is used for the collection in the Local Event Log Reader and not the Domain Event Log Reader.

It is also important to add the USER explicitly to the LOCAL EVENT LOG READER group. IT was found that if the user is a member of a group with the correct permissions, and this group was added to the LOCAL EVENT LOG READER group, then this error message would also occur.

Legacy Article IDa65450

Attachments

    Outcomes