RSA enVision^® Discussions

RSAAdmin · ‎2013-02-14

Hello everyone,

I have strange problem using WinRM collecting method from one Win 2008 AD controller - I can collect successfully Application and System logs but Security logs is something which I never managed to get. So far I tried everything from known documentation:

- I use doman account with administrators privileges

- That account is in "Event Log readers" group

- Channel subscription changed with known "S-1-5-20" form

I think there must be some privileges level problem but I don't know which one...status during "wineventsvc -v++" is always "Event count = 0".

If somebody have any idea ...

BR,

Dragan

NaushadKasu · ‎2013-02-20

How did you setup WinRM event collecting? What version of enVision are you on?

RSAAdmin · ‎2013-02-21

Thx nkasu for replaying.

Meanwhile we managed to solve the problem - Security log was above 1G size and that's the reason why this wasn't working. When we did backup of old Sec log and tried again everything was OK.

So this was lesson for us also...

We can close this case

BR,

Dragan

NaushadKasu · ‎2013-02-21

I'm actually a customer also and was curious what version of enVision you were using with WinRM event logging because we are trying to log our Windows AD servers that only support Kerberos however enVision to my knowledge only does NTLM.

Can you elaborate how your setup is so we can follow a similar approach? Thanks.

bec33 · ‎2013-02-22

Why you didnt use the legacy connection?

RSAAdmin · ‎2013-02-22

Bechara,

we did use legacy connection but as I said - during debug event count was always "0". If you think on WinRM connection as legacy offcourse...

Sec log file was above 1GB and that was the problem...it was one old DC machine (2003 upgraded to 2008) and Sec log file was really huge...

For new Win OS systems I think that it is recommended to use new WinRM configuration for enVision...

BR,

Dragan

RSAAdmin · ‎2013-02-22

Nkasu,

we are on envision 4.1 (b7) or something like that...it's on customer premises which I can't see right now but I'm sure it's the latest one or near to latest...

So for Win systems 7, 2008, Vista and above it's recomended to use WinRM as event collecting method. I think it's pretty good explained on SCOL how to do that and configuration is pretty simple. Only if you have so big log as I then there would be some problems ...

If you are using Windows service as method for collecting events I think it's pretty depreciated in todays envision environments.

If you want step-by-step guide how to do it I think you can find it on SCOL...if you have problems with that approach please inform me and I will provide detailed configuration for monitoring Win machines using WinRM and envision platform...

BR,

Dragan

NaushadKasu · ‎2013-02-22

Dragan,

Can you provide a link to the SCOL doc? You know how disorganized this site it. I'd appreciate it. We have Kerberos-only auth on our AD servers and were never able to get enVision to log them using WinRM. We have used the old legacy Windows Service configuration to poll our Windows servers but that does not work with our AD servers since they only support Kerberos and enVision keeps trying NTLM.

RSAAdmin · ‎2013-02-25

Quick guide is in attach.

I used HTTP as transport.

BR,

Dragan

RSA enVision® Discussions

Windows 2008 AD event collecting using WinRM problem

RSA enVision^® Discussions