Unable to collect events from non-domain controllers
Off-late we are experiencing a strange issue, we are unable to pull logs from non-domain controllers. However with the same event source able to pull events from Domain controllers.
While investigating we found the below error message.
[windows:WrkUnit:3549] [doWork:165] [NawrasAd.10_x_x_x] [processing] [NawrasAd.10_x_x_x] Unable to subscribe for events with Windows event source 10.x.x.x: 401/Unauthorized.
- Event source (10.x.x.x) not a FQDN. DNS resolution failed or does not map to a Kerberos Realm.
Recently we upgraded SA to 10.3 after the suggestion from technical support, yet issue persists.
Thanks in advance.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I have different timezones: one timezone on log collector, legacy log collector and another on domain controllers, non-domain controllers and non-domain servers. And all of the collection works. So it isn't the issue.
Also Collector log contains useful info
Try it and ping us back
can you try winrs command from another machine to confirm the winrm is working fine?
for example i tested in my lab:
winrs -r:https://srv6.exchange.local:5986 -u:administrator -p:Passw0rd2 dir
If you using https, you need add the certificate.