Windows Logs Not Working
I am having trouble getting windows logs using the agentless NIC service. I have a number of Windows devices working correctly on the system. I recently tried to add a dozen and none of them showed up in "managed devices" I used Wintool and got this error: 360) DISABLED 127.0.0.1 Application (84600 ~ ) Mon Jan 26 08:30:03 2009 (Log file does not exist on device.)
I also ran the "runeventvieweras" and was able to connect to server and successfully look at all logs.
Do I have the "Remote registry run as a localservice" issue?
thx in advance
No I don't think so.
It's hard to say without additional info, but keying in on something I saw in your wintool.exe output.... "127.0.0.1"
I don't think you'll have much luck doing remote log collection to a target at "127.0.0.1". That's the local loopback interface IP (by RFC definition) and would be interpreted by RSA enVision as it's own operating system's IP stack. It's not even the physical interface.
The only thing I can guess is that you must have had some problem when adding those hosts originally. I'd start by going to Overview, System Configuration, Services, Device Services, Windows Service, Manager Windows Service and locate the systems you recently added. Make sure that the IP address listed is the correct IP address of the remote target and not local loopback.
Also one tip... when adding new Windows hosts (at the GUI location mentioned above) ALWAYS provide an IP address into the "IP address / System name" field. Yes, you can provide a hostname, but if there are any problems in your DNS configuration anywhere... that might prohibit successful AND accurate name resolution to the target host, you may end up with issues like you've described here, along with several others. So I've gotten into the habit of using IP addresses and have never had a problem.
let me know what you find,
I didn't really use 127.0.0.1 as the IP, I just copy and pasted the error from another post. The IP are fine on the windows service
this is from the Windows device config guide:
Note:If you cannot collect messages from a Windows 2003/2008 device, set up the Remote Registry Service account to run
as the LocalSystem, not LocalService.
My server is configured as LocalService.
Should I change the account?
That's your call.
Personally, I refuse to change mine to local SYSTEM, and opt for an alternate local admin account.
Forcing this service (and any other service for that matter) to start with Local SYSTEM causes increased risk of exploitation at a later date via binary replacement (bait and switch) techniques, and is therefore commonly leveraged in privilege escalation attacks.
Since local SYSTEM is the highest privilege level account to the local resource, higher than that of local administrator (think UID 0) it's best practice IMHO to reduce the number of services that use this account, period. RSA's guidance is not inaccurate, it's just contrary to that belief. So it's really up to you. It will probably fix the issue, but just be sure you understand the level of risk your signing up for when you make the change.
The fact of the matter is, and what RSA doesn't want to take the time to explain, is that the Remote Registry Service can be configured to be started by ANY account that has local administrator privileges to the resource. This can be accomplished a number of ways. Yes, the default is LocalService. But local SYSTEM is arguably overkill. There are more secure options that get the job done... but alas... they require explaining in the help files... so you know...
hope this helps,