Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

Microsoft Vista collector not working

Updated: 20 Aug 2010 | 4 comments
hesterik's picture
hesterik
0 0 Votes
Login to vote
This issue has been solved. See solution.

I have problems with collecting events from a Windows 2008 Domain controller.

On the collectormachine I have got the error message:

"Number of Authentication errors in sensor exceeded maximum specified for this collector"

Collector machine is Windows 2008 in the same domain as the DC.

On the DC we have configurigured WINRM and this is the output of the configuration.

 

C:\Windows\system32>winrm get winrm/config
Config
    MaxEnvelopeSizekb = 150
    MaxTimeoutms = 60000
    MaxBatchItems = 20
    MaxProviderRequests = 25
    Client
        NetworkDelayms = 5000
        URLPrefix = wsman
        AllowUnencrypted = false
        Auth
            Basic = false
            Digest = true
            Kerberos = true
            Negotiate = true
            Certificate = true
        DefaultPorts
            HTTP = 80
            HTTPS = 443
        TrustedHosts
    Service
        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;ER)S:P(AU;FA;GA;;;WD)(AU;SA;G
WGX;;;WD)
        MaxConcurrentOperations = 100
        EnumerationTimeoutms = 60000
        MaxConnections = 5
        AllowUnencrypted = true
        Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false
        DefaultPorts
            HTTP = 80
            HTTPS = 443
        IPv4Filter = *
        IPv6Filter = *
    Winrs
        AllowRemoteShellAccess = true
        IdleTimeout = 900000
        MaxConcurrentUsers = 5
        MaxShellRunTime = 2147483647
        MaxProcessesPerShell = 5
        MaxMemoryPerShellMB = 80
        MaxShellsPerUser = 2

C:\Windows\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU
)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 134217728
publishing:

What can do next to get the collector work.

discussion Filed Under:
, , ,

Comments

olaf's picture
19
Jul
2010
0 Votes 0
Login to vote
olaf
Symantec Employee
Accredited

Can you provide some more information about the setup?
Did you try to collect Application and System logs only and does this work?
Are you using an Administrator account or namal User account to collect the event logs?
Which exact version of Windows 2008 are you using and which version of the winrm framework?
What settings did you configure in the sensor?
On the collector machine, is the DNS Server set to the DNS Server of your Active Directory domain?

Thanks,

Olaf

GregBx's picture
19
Jul
2010
0 Votes 0
Login to vote
GregBx

I'm having the same problem.

Target system is Server 2008 (R1) Enterprise.  The sensor was configured with the following settings:

Monitored Host Name:  servername
Monitored Host Realm:  Blank
Connection Port:  80
Connection Protocol:  HTTP
Monitored Host Account Name:  domain\username
Account Password:  *******
Event Logs to Audit:  System (see below, I've tried multiple)
Start Reading From:  End (have tried Beginning)

I have tried to collect only system, application, Security, DNS Server, Directory Service, and Setup.  One at a time, all together, and several combinations.  It always comes back with the same error:

ERROR 2010-07-19 15:18:03,377 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-25454 [Sensor: MYDomainController] Number of authentication errors in sensor exceeded maximum specified for this collector.

I have entered and re-entered the Monitored Host Account Name and the Account Password.  This account is a domain account and has access to the event logs.  As asked above, the DNS of this system is the same as the Active Directory Domain.

olaf's picture
20
Jul
2010
0 Votes 0
Login to vote
olaf
Symantec Employee
Accredited

Hi Greg,

when using a domain account you should set the Monitored Host Realm. The Monitored Host Realm is normally the Domain name you are using.
You can check this by running the Ksetup command from a command-line on the machine where you want to collect the logs from. Running this command without options should display the default realm which you should use in the Monitored Host Realm option.
The Monitored Host Account Name should be the username without the domain prefix.
Also make sure that the Auth option for Kerberos is set to true in this setup, like it is diplayed in the above posting.
Auth
            Basic = true
            Kerberos = true
            Negotiate = true
            Certificate = false

Also add the user domain\username to the Builtin Active Directory group Event Log Readers.
When you want to collect the Security Log also, you will have to add the Event Log Readers to the channel access of the Security Log.

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2009120912192354

Once you have done all this start up the agent where the collector is installed.
Once the collector is started up go to the collectors folder in the main folder of the Event Agent.
In this folder you should fnd now 2 files krb5.conf and krb5.properties.
If you want you can open these files using notepad. You should find some entries which point to your Domain Controller which is normally also the Kerberos Key Distribution Center (kdc).
When the authentication still fails you should check the Security Log of the Domain Controller to check wy it is failing.

Regards,

Olaf

 

hesterik's picture
20
Jul
2010
0 Votes 0
Login to vote
hesterik

We have found the issue.
 
We have added the user SRV-SSIM to the Builtin Active Directory group Event Log Readers.
 
• SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
 
These SID is added to the channel access of the Security Log.
 
Read current Channel Access:
Wevtutil gl security
 
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)
 
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 134217728
publishing:
 
 
Add read access to the current channel access by adding on the DC.
(A;;0x1;;;S-1-5-32-573) with the command

wevtutil sl security /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
 
Configure Remote Management
 

  • winrm quickconfig
  • winrm set winrm/config/service @{AllowUnencrypted="true"}
  • winrm set winrm/config/service/Auth @{Basic="true"}

 
Configuration of the Sensor:

Montored hostname: <servername> (example: SRVDC01)
Monitored Host Realm: [empty]
Connection Port: 80
Connection Protocol : HTTP
Monitorded Host Account Name : <account-name>  (example SSIMUSER)
Start Reading from : Beginning
 

SOLUTION

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,694