000033064 - How to use the WinRM Tool to troubleshoot Windows collection issues in RSA Netwitness Logs & Packets

Document created by RSA Customer Support Employee on Mar 22, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033064
Applies ToRSA Product Set: RSA Netwitness Logs & Packets
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5.x,10.6.x, 11.x
Platform: CentOS
O/S Version: EL6 / EL7
ResolutionWinRMDiagnostics is a standalone tool that helps to configure or fix Windows event sources for Windows Log Collection.
The tool can be invoked either in command line or UI mode, and supports Windows OS 2008 and above.

The tool can be invoked either in command line mode or User Interface (UI) mode. By default, tool runs in UI mode.
To run the tool in command line mode, the -noui switch should be used. 

Tool run modes
  • Verify: Checks whether WinRM is configured on windows event source by executing pre-selected set of commands.(Default Mode)
  • Auto: Checks whether WinRM is configured on windows event source by executing pre-selected set of commands. If WinRM is not configured correctly, then tool will try to fix the issue.
  • Manual: Allows user to specify set of commands to execute.
 

Command-Line Mode


Below is the tool usage and parameters for running tool in command line mode.
 
WinRMDiagnostics –noui -mode [tool mode] –username [user id] -transport [transport mode] –port [port] -servicename [service name] -hostname [host fqdn] –usebasic [basic authentication for winrm] –zip [zip flag] –resultdir [result dir name] <commands>


Where:
-nouiTool will run in console mode or else in UI mode
-modeTool mode (VERIFY (V), AUTO (A), MANUAL (M))
-usernameUser account credentials (DomainName@UserName)
-zipZip results directory (true/false)
-transportWinRM listener transport mode
-portWinRM listener port
-servicenameService name
-hostnameHost name or Host FQDN
-usebasicUse Basic Authentication for WinRM (true/false)
-resultdirResult directory name (by default result directory is named as '<machinename>_wrm_<timestamp>)'
commands>Commands to run (specify only if MANUAL mode is chosen)


Note: If ‘Verify’ or ‘Auto’ mode is chosen, then no command list should be specified.


 

Command NameDescriptionMode
  VerifyAutoManual
FirewallSrvStatusCheck state of Windows Firewall service
  
  •  
  
 
  
  •  
  
WinRMSrvStatusCheck state of WinRM service
  
  •  
  
 
  
  •  
  
WinRMVersionGet WinRM version
  
  •  
  
 
  
  •  
  
WinRMListenerConfigGet WinRM Listener configuration
  
  •  
  
 
  
  •  
  
WinRMOnDefaultPortCheck whether WinRM Listener is running on default port
  
  •  
  
 
  
  •  
  
AllowUnencryptGetCheck whether AllowUnencrypted property is set
  
  •  
  
 
  
  •  
  
EventLogPermGetCheck whether Event Log permissions are set correctly
  
  •  
  
 
  
  •  
  
EventReadersGrpGetCheck whether user account is part of Event Log Readers Local User Group
   Input: User Account Credentials (username)

  
  •  
  
 
  
  •  
  
SecLogChReadAccStatusVerify whether SDDL string for Windows Log channel is configured for reading access to the Security Log channel
  
  •  
  
 
  
  •  
  
AllowUnencryptSetSet AllowUnencrypted property to 'true' 
  
  •  
  

  
  •  
  
EventLogPermSetSet Event Log permissions for Event Log Readers group 
  
  •  
  

  
  •  
  
SecLogChReadAccAddGrant read access to the Security Log channel by modifying SDDL string for Windows Log channel 
  
  •  
  

  
  •  
  
WinRMQuickConfigRun WinRM Quick config command
   Input - Transport (Default = HTTP), Use Basic Authentication (Default = False)
 
  
  •  
  

  
  •  
  
EventReadersGrpAddAdd user account to Event Log Readers Local User Group
   Input: User Account Credentials (username)
 
  
  •  
  

  
  •  
  
WinRMListenerCreateCreate WinRM Listener
   Input - Transport (Default = HTTP), Port (Default = 5985)
  
  
  •  
  
WinRMListenerDeleteDelete WinRM Listener   
   Input - Transport (Default = HTTP)
  
  
  •  
  
WinRMListenerPortSet Set WinRM Listener port
   Input - Transport (Default = HTTP), Port (Default = 5985)
  
  
  •  
  
EventReadersGrpRemRemove user account from Event Log Readers Local User Group
   Input: User Account Credentials (username)
  
  
  •  
  
ServiceStartStart given service
   Input - Service Name
  
  
  •  
  
ServiceStopStop given service
   Input - Service Name
  
  
  •  
  
SystemTimeGet system time on local computer
  
  •  
  

  
  •  
  

  
  •  
  
OSNameGet host operating system name
  
  •  
  

  
  •  
  

  
  •  
  
HostIPByDnsGet Host IP Address from DNS Hostname
   Input - Host name or Host FQDN

  
  •  
  

  
  •  
  

  
  •  
  


Sample Usage
WinRMDiagnostics -noui -mode verify  (Run 'verify' mode commands)
WinRMDiagnostics -noui -mode auto    (Run 'auto' mode commands)
WinRMDiagnostics -noui <commands>    (Run specified commands)
WinRMDiagnostics -ver                (Tool version)
WinRMDiagnostics -help            (Displays Tool usage)
 

User Interface Mode


General Tab:

  • Provides options for configuration and execution of the tool.

Run Mode:

  • Verify & Autorun mode runs a pre-selected set of commands (Ones that are not grayed out).
  • Commands need to be selected for Manual run mode only.
  • Command information is displayed in the Steps Description pane when the command name is clicked.
  • Specify tool parameters only for the selected commands.
  • To run the tool click on the Run button.

Results Tab:
  • Displays tool results in XML format. Tool results are saved here:  ~\ WinRMToolResults\<hostname>_wrm_<timestamp>
  • Optional: Select Zip Results option to zip up the results directory. Specify Result Dir Name option to create result directory with a non-default name. eg. ~\ WinRMToolResults\rsasa-123

Results (Tabular) Tab:

  • Displays tool results in tabular format.
NotesThe WinRM Diagnostics tool and guide have been updated as of 2018/03/07. If you have downloaded this tool and guide before that time, please download them again using the links below. If this is the first time downloading these items, please use the same links below.

WinRM Diagnostics Tool:  https://community.rsa.com/docs/DOC-58018
WinRM Configuration Guide: https://community.rsa.com/docs/DOC-58163

Attachments

    Outcomes