Windows Collection: Troubleshoot

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode
 

This topic highlights possible problems that you may encounter with Windows Collection and suggested solutions to these problems.

Troubleshoot Windows Collection Issues

In general, you receive more robust log messages by disabling SSL.

Security Analytics returns the following types of error messages in the log files.

               
Log Messages(i) 2013-Nov-21 14:47:06 [WindowsCollection] [LAB30.bad-host_lab30_local] [processing] [LAB30.bad-host_lab30_local] Starting work
(F) 2013-Nov-21 14:47:06 [WindowsCollection] [LAB30.bad-host_lab30_local] Error subscribing. Transport error code = 6/Could not resolve host
(F) 2013-Nov-21 14:47:06 [WindowsCollection] [LAB30.bad-host_lab30_local] [processing] [LAB30.bad-host_lab30_local] Unable to subscribe for events with Windows event source bad-host.lab30.local: Could not resolve host Possible causes: - DNS resolution failed or name/address (bad-host.lab30.local) incorrect. (i) 2013-Nov-21 14:47:06 [WindowsCollection] [LAB30.bad-host_lab30_local] [processing] [LAB30.bad-host_lab30_local] Finished work
(F) 2013-Nov-21 14:47:06 [WindowsCollection] [LAB30.bad-host_lab30_local] [processing] [LAB30.bad-host_lab30_local] windows:WrkUnit[1] Processing failed.
(i) 2013-Nov-21 14:47:06 [WindowsCollection] [LAB30.10_100_33_179] [processing] [LAB30.10_100_33_179] Starting work (i) 2013-Nov-21 14:47:06[WindowsCollection] [LAB30.10_100_33_179] [processing] [LAB30.10_100_33_179] Enumerating SID information


(F) 2013-Nov-21 14:47:09 [WindowsCollection] [LAB30.10_100_33_179] Error enumerating for account SIDs. Transport error code = 7/Could not connect
(F) 2013-Nov-21 14:47:09 [WindowsCollection] [LAB30.10_100_33_179] [processing] [LAB30.10_100_33_179] Error enumerating for SID information: Could not connect
(F) 2013-Nov-21 14:47:12 [WindowsCollection] [LAB30.10_100_33_179] Error subscribing. Transport error code = 7/Could not connect
(F) 2013-Nov-21 14:47:12 [WindowsCollection] [LAB30.10_100_33_179] [processing] [LAB30.10_100_33_179] Unable to subscribe for events with Windows event source 10.100.33.179: Could not connect Possible causes: - Event source not configured for collection with http. - Event source currently down.
(i) 2013-Nov-21 14:47:12 [WindowsCollection] [LAB30.10_100_33_179] [processing] [LAB30.10_100_33_179] Finished work
(F) 2013-Nov-21 14:47:12 [WindowsCollection] [LAB30.10_100_33_179] [processing] [LAB30.10_100_33_179] windows:WrkUnit[2] Processing failed.
Possible CauseWindows collection cannot connect to WinRM.
Solutions

Windows collection connects to the WinRM service on the Windows event source. You must configure the Windows event source to allow events to be collected. You can do this manually using the winrm command on the event source or you can create a Group Policy and push it to all event sources in a domain. This configuration creates a WinRM listener on the event source.

You also configure the firewall on the event source to allow connections to it. By default, WinRM listens on port 5985 for HTTP connections and port 5986 for HTTPS connections.

Please refer to Supported Event Sources in the Live Resources Management Guide for documentation on how to configure event sources.

You are here: Windows Collection Configuration Guide > Troubleshoot Windows Collection

Attachments

    Outcomes