This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2009-09-29 09:22 AM

Windows Logs Not Working

I am having trouble getting windows logs using the agentless NIC service. I have a number of Windows devices working correctly on the system. I recently tried to add a dozen and none of them showed up in "managed devices" I used Wintool and got this error: 360)  DISABLED  127.0.0.1 Application                           (84600 ~ ) Mon Jan 26 08:30:03 2009 (Log file does not exist on device.)

 

I also ran the "runeventvieweras" and was able to connect to server and successfully look at all logs.

 

Do I have the "Remote registry run as a localservice" issue?

 

thx in advance

0 Likes
Reply
6 Replies
RSAAdmin
Beginner
Beginner
‎2009-09-29 10:21 AM

No I don't think so.

 

It's hard to say without additional info, but keying in on something I saw in your wintool.exe output.... "127.0.0.1"

 

I don't think you'll have much luck doing remote log collection to a target at "127.0.0.1". That's the local loopback interface IP (by RFC definition) and would be interpreted by RSA enVision as it's own operating system's IP stack.  It's not even the physical interface.

 

The only thing I can guess is that you must have had some problem when adding those hosts originally.  I'd start by going to Overview, System Configuration, Services, Device Services, Windows Service, Manager Windows Service and locate the systems you recently added.  Make sure that the IP address listed is the correct IP address of the remote target and not local loopback.

 

Also one tip... when adding new Windows hosts (at the GUI location mentioned above) ALWAYS provide an IP address into the "IP address / System name" field.  Yes, you can provide a hostname, but if there are any problems in your DNS configuration anywhere... that might prohibit successful AND accurate name resolution to the target host, you may end up with issues like you've described here, along with several others.   So I've gotten into the habit of using IP addresses and have never had a problem.  

 

let me know what you find,

ryan

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-09-29 10:27 AM

I didn't really use 127.0.0.1 as the IP, I just copy and pasted the error from another post. The IP are fine on the windows service

 

this is from the Windows device config guide:

 

Note:If you cannot collect messages from a Windows 2003/2008 device, set up the Remote Registry Service account to run

as the LocalSystem, not LocalService.

 

My server is configured as LocalService.

 

Should I change the account?

 

thanks

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-09-29 11:35 AM

That's your call. 

 

Personally, I refuse to change mine to local SYSTEM, and opt for an alternate local admin account.

 

Forcing this service (and any other service for that matter) to start with Local SYSTEM causes increased risk of exploitation at a later date via binary replacement (bait and switch) techniques, and is therefore commonly leveraged in privilege escalation attacks.

 

Since local SYSTEM is the highest privilege level account to the local resource, higher than that of local administrator (think UID 0) it's best practice IMHO to reduce the number of services that use this account, period.  RSA's guidance is not inaccurate, it's just contrary to that belief.  So it's really up to you.   It will probably fix the issue, but just be sure you understand the level of risk your signing up for when you make the change.

 

The fact of the matter is, and what RSA doesn't want to take the time to explain, is that the Remote Registry Service can be configured to be started by ANY account that has local administrator privileges to the resource.  This can be accomplished a number of ways.  Yes, the default is LocalService.  But local SYSTEM is arguably overkill.  There are more secure options that get the job done... but alas... they require explaining in the help files... so you know...

 

 

hope this helps,

ryan

 

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2009-09-29 11:45 AM

OK. thanks for the info!
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-10-24 07:49 AM

I have also problem with the Windows Event Logs. I am using WinRM service but logs are not coming. Wintool "show summary" says Could not find pipe for xxxx-domain. I ran also \collection-services\winevent\wineventconfig.exe -a Current event channel subscriptions are: "Application, Security, System" Appy global event channel subscriptions: Y Apply global polling interval: Y Is there any way to debug from enVision side that why event logs are not coming? Or do I just have to try to check all the configurations from log source (Win2008R2 server) side?
0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-12-02 01:00 AM

wintool doesn't works with WinRm service, it is only used for Agentless collection service. You can check the NIC messages that are getting generated, or run the service from command line \collection-services\winevent\wineventsvc.exe -v, then you can see all that the service is doing, before this stop the service from service manager. Please also send the output you see if you need anything to be verified.

Thanks
Amit
0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.