Error message "WinRM collection:Failed to refresh Kerberos TGT" is displayed in RSA Security Analytics / NetWitness Logs & Network. Event collection fails for a few event sources from the same Kerberos realm.
Error messages similar to the following are displayed:
An error message similar to the following is displayed:
2014-Mar-06 13:20:22 [WindowsCollection] [LAB.xx_xx_xx_xx] [processing] [LAB.xx_xx_xx_xx] Unable to pull events from Windows event source xx.xx.xx.xx: Fault Code : s:Receiver Subcode : n:InvalidEnumerationContext Reason : The WS-Enumeration context in the enumeration is not valid. Enumeration may have been completed or cancelled. You cannot use this enumeration context anymore. Start a new enumeration...
Command-line 'curl' test returns successful results.
This issue is caused by incorrect Event Source credentials.
Once a subscription has been created, the Windows event source returns an "Enumeration Context" in each pull request. It must be returned to the event source in the next pull request. If that is invalid, the above error may be generated and collection cannot be continued within the current subscription. This can happen if the Windows event source has been rebooted or the WinRM service restarted. The Windows collection, however, automatically handles this error. It cancels an existing subscription, if any, and re-subscribes from the last saved bookmarks. Sometimes, this error is triggered by the Windows collection itself. For example, if Windows collection is stopped while processing pulled events, it is forced to cancel the existing subscription so it can resume collection correctly. It forces a re-subscription by clearing the saved enumeration context. If the system doesn't handle the re-subscription automatically, you may follow the steps below to force a re-subscription:
In order to resolve the issue, follow the steps below.
Within Log Collector service's System section. Stop the Windows Collection.
SSH to the Log Collector and cd /var/netwitness/logcollector/runtime/windows/eventsources
You should see <alias>.<eventsourceaddress>.xml for the specific IP.
In that file, there is an entry for enumeration context and subscription ID each. Clear both and save the file. Repeat this for the IPs having this issue respectively.
e.g. BEFORE: <subscription_id>7F75E08D-6045-4D82-8135-FCD4F59DED96</subscription_id> <enum_context>uuid:602492F1-AEB6-4FEE-B0E5-7388B5DDF5B2</enum_context>