Winrm Log Collection: Can I use multiple accounts for the same domain when collecting logs via winrm?

3 years ago

Originally Published: 2015-09-18

Article Number

000064404

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server
RSA Version/Condition: 10.X

Issue

A customer wants to define winrm logcollection with two accounts. For example userA@DOMAIN to collect logs for Server A and userB@DOMAIN for Server B.

Initally Log Collection may work, but will eventually break when the kerberos ticket for the other user is renewed.

The following will be seen in the logs

[root@REMOTELOGCOL ~]# tail -f /var/log/messages |grep -i kerberos
Sep 18 07:56:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL
Sep 18 07:57:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [failure] Failed to fetch Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL
Sep 18 07:58:00 REMOTELOGCOL nw[29679]: [Krb5CacheMonitor] [info] Fetched Kerberos TGT for principal : RSALOGCOLLECTOR@WAUGH.LOCAL
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh03_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh03.waugh.local: 401/Unauthorized.Possible causes:- Event source (dwaugh03.waugh.local) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh05_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh05.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh05.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh10_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH10.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH10.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh14_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH14.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH14.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh21_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source dwaugh21.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (dwaugh21.WAUGH.LOCAL) does not map to a Kerberos Realm.
Sep 18 07:58:09 REMOTELOGCOL nw[29679]: [WindowsCollection] [failure] [WindowsNonDomainController.dwaugh23_waugh_local] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source DWAUGH23.WAUGH.LOCAL: 401/Unauthorized.Possible causes:- Event source (DWAUGH23.WAUGH.LOCAL) does not map to a Kerberos Realm.

[root@REMOTELOGCOL ~]# klist -A
Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tktI9UDv4
Default principal: RSALOGCOLLECTOR@WAUGH.LOCAL

Valid starting     Expires            Service principal
09/18/15 07:58:00  09/18/15 17:57:53  krbtgt/WAUGH.LOCAL@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh03.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh05.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh10.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh14.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh21.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/dwaugh23.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:02  09/18/15 17:57:53  HTTP/ecat.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:03  09/18/15 17:57:53  HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00
09/18/15 07:58:03  09/18/15 17:57:53  HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:58:00

Ticket cache: DIR::/var/netwitness/logcollector/runtime/krb5_ccache_dir/tkt0j1onp
Default principal: winrm@WAUGH.LOCAL

Valid starting     Expires            Service principal
09/18/15 07:53:00  09/18/15 17:52:52  krbtgt/WAUGH.LOCAL@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:52:53  09/18/15 17:52:52  HTTP/dwaugh05.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:52:53  09/18/15 17:52:52  HTTP/dwaugh10.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:52:53  09/18/15 17:52:52  HTTP/dwaugh03.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:04  09/18/15 17:52:52  HTTP/dwaugh14.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:04  09/18/15 17:52:52  HTTP/dwaugh21.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:05  09/18/15 17:52:52  HTTP/dwaugh23.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:05  09/18/15 17:52:52  HTTP/ecat.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00
09/18/15 07:53:11  09/18/15 17:52:52  HTTP/jumphost-0-0.waugh.local@WAUGH.LOCAL
        renew until 09/18/15 17:53:00

Cause

It is not possible to collect logs using multiple accounts in the same domain on one logcollector. The reason for this can be found here

http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html#twoprincs

In most Kerberos implementations, there can only be a single principal per credential cache (or ticket file). You can however choose which cache to use by setting the KRB5CCNAME (in V5) andKRBTKFILE (in V4) environment variable.

As a single Kerberos Ticket file is used in the logcollector located at

export KRB5CCNAME=DIR:/var/netwitness/logcollector/runtime/krb5_ccache_dir

then multiple users in the same domain are not possible.

Resolution

Use only one account per logcollector.

Workaround

If you absolutely must use different accounts for different servers, then the servers with different accounts will need to be distributed across different logcollectors. As this is across the same domain then it is not clear what the use case actually is for using multiple accounts for log collection in a single domain.

Notes

All machine names and IP Addresses are taken from an internal test environment.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles