|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.6.0.2
|Issue||Post upgrade, winrm collection stops periodically with 401 errors and failure message that contains below kerberos errors.|
Jul 14 12:17:52 XXX NwLogCollector: [WindowsCollection] [failure] [hostname] [processing] [WorkUnit] [processing] Unable to subscribe for events with Windows event source hostname: 401/Unauthorized.Possible causes:- Event source (hostname) does not map to a Kerberos Realm.
- Use klist -A command to verify the tickets exist or not.
sample output is as below if kerberos tickets exist.
[root@XXX ~]# klist -A
- Running below two commands in Collector can regenerate the kerberos tickets and starts winrm collection automatically. But the winrm collection stops again when kerberos tickets were not refreshed again.
|Cause||The kerberos tickets may not be refreshing due to either credentials in Event Category or krb5.conf file missing default realm.|
|Resolution||Please use below steps to resolve the issue permanently.|
1. Login to Security Analytics GUI as admin.
2. Navigate to Collector->Config->Event Sources->Windows/Config page.
3. Select the Configuration of problematic Domain Controller in Event Categories page and click edit.
4. Re-enter the credentials as highlighted below and click OK.
5. Then login to putty session of collector and edit /etc/krb5.conf file to configure the default_realm entry for problematic domain under [libdefaults].
sample /etc/krb5.conf file contents are below.
6. Run below two commands to regenerate kerberos tickets.
7. Verify the winrm logs by navigating to Investigation page in GUI.