000017407 - Windows event source is unable to subscribe for events in RSA NetWitness Platform because "Access is denied"

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 26, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000017407
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.6.x, 11.x
IssueUnable to subscribe for events with Windows event source in RSA Security Analytics because "Access is denied".
The following error message is seen in the Log Collector logs:

Unable to subscribe for events with Windows event source EVENTSOURCENAME: Fault Code : s:Sender Subcode : w:AccessDenied Reason : Access is denied. Fault Detail : Access is denied.
CauseThe Windows user account used by NetWitness has insufficient privilege to read the event logs.
  1. When configuring a Windows event source (using WinRM), make sure to add the USER, that NetWitness will use for the log collection, into the Local Event Log Reader group and not the Domain Event Log Reader group.

    It is also important to add the USER explicitly to the LOCAL EVENT LOG READER group.

  2. It has also been found that if the user is a member of another group with the correct permissions, and this other group was added to the LOCAL EVENT LOG READER group, then this error message would also occur.

Explicitly add the USER to the LOCAL EVENT LOG READER group.

Legacy Article IDa65450