000033064 - How to use the WinRM Tool to troubleshoot Windows collection issues in RSA NetWitness Logs & Packets

Document created by RSA Customer Support

on Mar 22, 2018•Last modified by RSA Customer Support

on Jul 8, 2019

Version 2Show Document

Like • Show 1 Like1
Comment • 0
View in full screen mode

Article Content

Article Number

000033064

Applies To

RSA Product Set: RSA Netwitness Logs & Network
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5.x,10.6.x, 11.x
Platform: CentOS
O/S Version: EL6 / EL7

Resolution

WinRMDiagnostics is a standalone tool that helps to configure or fix Windows event sources for Windows Log Collection.
The tool can be invoked either in command line or UI mode, and supports Windows OS 2008 and above.

The tool can be invoked either in command line mode or User Interface (UI) mode. By default, the tool runs in UI mode.
To run the tool in command line mode, the -noui switch should be used.

Tool run modes:

Verify: Checks whether WinRM is configured on windows event source by executing pre-selected set of commands.(Default Mode)
Auto: Checks whether WinRM is configured on windows event source by executing pre-selected set of commands. If WinRM is not configured correctly, then the tool will try to fix the issue.
Manual: Allows user to specify a set of commands to execute.

Command-Line Mode

Below is the tool usage and parameters for running tool in command line mode.

WinRMDiagnostics –noui -mode [tool mode] –username [user id] -transport [transport mode] –port [port] -servicename [service name] -hostname [host fqdn] –usebasic [basic authentication for winrm] –zip [zip flag] –resultdir [result dir name] <commands>

Where:

-noui	Tool will run in console mode or else in UI mode
-mode	Tool mode (VERIFY (V), AUTO (A), MANUAL (M))
-username	User account credentials (DomainName@UserName)
-zip	Zip results directory (true/false)
-transport	WinRM listener transport mode
-port	WinRM listener port
-servicename	Service name
-hostname	Host name or Host FQDN
-usebasic	Use Basic Authentication for WinRM (true/false)
-resultdir	Result directory name (by default result directory is named as '<machinename>_wrm_<timestamp>)'
commands>	Commands to run (specify only if MANUAL mode is chosen)

Note: If ‘Verify’ or ‘Auto’ mode is chosen, then no command list should be specified.

Command Name	Description	Mode
		Verify	Auto	Manual
FirewallSrvStatus	Check state of Windows Firewall service
WinRMSrvStatus	Check state of WinRM service
WinRMVersion	Get WinRM version
WinRMListenerConfig	Get WinRM Listener configuration
WinRMOnDefaultPort	Check whether WinRM Listener is running on default port
AllowUnencryptGet	Check whether AllowUnencrypted property is set
EventLogPermGet	Check whether Event Log permissions are set correctly
EventReadersGrpGet	Check whether user account is part of Event Log Readers Local User Group Input: User Account Credentials (username)
SecLogChReadAccStatus	Verify whether SDDL string for Windows Log channel is configured for reading access to the Security Log channel
AllowUnencryptSet	Set AllowUnencrypted property to 'true'
EventLogPermSet	Set Event Log permissions for Event Log Readers group
SecLogChReadAccAdd	Grant read access to the Security Log channel by modifying SDDL string for Windows Log channel
WinRMQuickConfig	Run WinRM Quick config command Input - Transport (Default = HTTP), Use Basic Authentication (Default = False)
EventReadersGrpAdd	Add user account to Event Log Readers Local User Group Input: User Account Credentials (username)
WinRMListenerCreate	Create WinRM Listener Input - Transport (Default = HTTP), Port (Default = 5985)
WinRMListenerDelete	Delete WinRM Listener Input - Transport (Default = HTTP)
WinRMListenerPortSet	Set WinRM Listener port Input - Transport (Default = HTTP), Port (Default = 5985)
EventReadersGrpRem	Remove user account from Event Log Readers Local User Group Input: User Account Credentials (username)
ServiceStart	Start given service Input - Service Name
ServiceStop	Stop given service Input - Service Name
SystemTime	Get system time on local computer
OSName	Get host operating system name
HostIPByDns	Get Host IP Address from DNS Hostname Input - Host name or Host FQDN

Sample Usage
WinRMDiagnostics -noui -mode verify (Run 'verify' mode commands)
WinRMDiagnostics -noui -mode auto (Run 'auto' mode commands)
WinRMDiagnostics -noui <commands> (Run specified commands)
WinRMDiagnostics -ver (Tool version)
WinRMDiagnostics -help (Displays Tool usage)

User Interface Mode

General Tab:

Provides options for configuration and execution of the tool.

Run Mode:

Verify & Autorun mode runs a pre-selected set of commands (Ones that are not grayed out).
Commands need to be selected for Manual run mode only.
Command information is displayed in the Steps Description pane when the command name is clicked.
Specify tool parameters only for the selected commands.
To run the tool click on the Run button.

Results Tab:

Displays tool results in XML format. Tool results are saved here: ~\ WinRMToolResults\<hostname>_wrm_<timestamp>
Optional: Select Zip Results option to zip up the results directory. Specify Result Dir Name option to create result directory with a non-default name. eg. ~\ WinRMToolResults\rsasa-123

Results (Tabular) Tab:

Displays tool results in tabular format.

Notes

The WinRM Diagnostics tool and guide have been updated as of 2018/03/07. If you have downloaded this tool and guide before that time, please download them again using the links below. If this is the first time downloading these items, please use the same links below.

WinRM Diagnostics Tool: https://community.rsa.com/docs/DOC-58018
WinRM Configuration Guide: https://community.rsa.com/docs/DOC-58163

000033064 - How to use the WinRM Tool to troubleshoot Windows collection issues in RSA NetWitness Logs & Packets

Article Content

Command-Line Mode

User Interface Mode

Attachments

Outcomes

Related Content

Recommended Content