Video Screencast Help

SIM 4.8 WS Management Collector not work

Created: 01 Oct 2013 | 1 comment

Hello. 

I try to capture the Windows Logs from Windows Server 2008R2/2012/7 servers with SSIM 4.8.1.372. I configure everything as written in these topics: https://www-secure.symantec.com/connect/articles/windows-2008-2008-r2-ssim-integration-consolidated-graphical https://www-secure.symantec.com/connect/forums/security-logs-not-sended-ssim but logs not collected. 

fw1.jpglogreaders.jpg

networkservice.jpg

wevutil.jpg

winrm_cens.jpg

listeners.jpg

 

At Windows 7 i used domain account and set winrm set winrm/config/service/Auth @{Basic="false"}, winrm set winrm/config/service/Auth @{Kerberos="true"}

I configure and distribute WS Management Event Collector v5.0 configurations and sensors with domain admin account for Windows 7 / Windows Server 2012 and local admin account for Windows Server 2008R2.

vserver_config.jpg

 

krd-48_config_cens.jpg

At Windows Server 2008R2 i have this uvista.log

....
INFO 2013-10-01 16:44:16,298 Collectors.3384 com.symantec.management.util.TimerThread Initializing collector...
INFO 2013-10-01 16:44:16,361 Collectors.3384.wGroup.[workinggroup0].Sensor.[vserver] com.symantec.management.util.TimerThread Kerberos not initialized.
INFO 2013-10-01 16:44:16,534 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread 1 translator specifications exist.
INFO 2013-10-01 16:44:16,538 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread ## Global plugin for translation was loaded
INFO 2013-10-01 16:44:16,564 Collectors.3384.wGroup.[workinggroup0] com.symantec.management.util.TimerThread Working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor" initiated (enable: true).
INFO 2013-10-01 16:44:16,564 Collectors.3384.aggregator com.symantec.management.util.TimerThread AGGREGATOR has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 16:44:16,565 Collectors.3384.filter com.symantec.management.util.TimerThread FILTER has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Configuration: test
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Product ID: 3384
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Product version: 5.0
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Product seqnum: 20120716
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Software feature ID: 33840101
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Framework version: 2.50.00 seqnum: 20130207
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Collector uses wsmanagement sensor v. 5.00.00 seqnum: 20121219
INFO 2013-10-01 16:44:16,565 Collectors.3384 com.symantec.management.util.TimerThread Collector initialization completed.
INFO 2013-10-01 16:44:16,703 Collectors.3384 com.symantec.management.util.TimerThread --------- The start is requested... ------
INFO 2013-10-01 16:44:16,704 Collectors.3384 com.symantec.management.util.TimerThread Sender started
INFO 2013-10-01 16:44:16,708 Collectors.3384 com.symantec.management.util.TimerThread Starting WorkingGroup (instance:33840101, group name: "workinggroup0")
INFO 2013-10-01 16:44:16,708 Collectors.3384 com.symantec.management.util.TimerThread ---------------- collector started. ----------------
INFO 2013-10-01 16:44:16,725 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor"...
INFO 2013-10-01 16:44:16,725 Collectors.3384.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
INFO 2013-10-01 16:44:16,726 Collectors.3384.wGroup.[workinggroup0] workinggroup0 All sensor threads (1) have been created.
WARN 2013-10-01 16:44:16,953 Collectors.3384.wGroup.[workinggroup0].Sensor.[vserver] Thread-17 Response message does not contain any data.
ERROR 2013-10-01 16:44:16,954 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-17 [Sensor: vserver] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2013-10-01 16:44:16,954 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-17 [Sensor: vserver] >>> Close sensor thread...
INFO 2013-10-01 16:57:16,591 Collectors.3384.wGroup.[workinggroup0] pool-3-thread-1 All sensors are stopped. Terminating workinggroup0 working group...
INFO 2013-10-01 16:57:16,613 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Working group is off.
INFO 2013-10-01 16:57:16,613 Collectors.3384 pool-3-thread-1 collector instance: 33840101 and its WorkingGroups are stopped
INFO 2013-10-01 16:57:16,613 Collectors.3384.aggregator.AggregatorCacheImpl pool-3-thread-1 Aggregator BUFFER has been flushed and cleared. Capacity: 0
INFO 2013-10-01 16:57:16,614 Collectors.3384 pool-3-thread-1 ---------------- collector stopped ----------------
INFO 2013-10-01 16:57:39,717 Collectors.3384 com.symantec.management.util.TimerThread Initializing collector...
INFO 2013-10-01 16:57:39,745 Collectors.3384.wGroup.[workinggroup0].Sensor.[vserver] com.symantec.management.util.TimerThread Kerberos not initialized.
INFO 2013-10-01 16:57:39,836 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread 1 translator specifications exist.
INFO 2013-10-01 16:57:39,839 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread ## Global plugin for translation was loaded
INFO 2013-10-01 16:57:39,852 Collectors.3384.wGroup.[workinggroup0] com.symantec.management.util.TimerThread Working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor" initiated (enable: true).
INFO 2013-10-01 16:57:39,852 Collectors.3384.aggregator com.symantec.management.util.TimerThread AGGREGATOR has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 16:57:39,852 Collectors.3384.filter com.symantec.management.util.TimerThread FILTER has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 16:57:39,852 Collectors.3384 com.symantec.management.util.TimerThread Configuration: test
INFO 2013-10-01 16:57:39,852 Collectors.3384 com.symantec.management.util.TimerThread Product ID: 3384
INFO 2013-10-01 16:57:39,856 Collectors.3384 com.symantec.management.util.TimerThread Product version: 5.0
INFO 2013-10-01 16:57:39,856 Collectors.3384 com.symantec.management.util.TimerThread Product seqnum: 20120716
INFO 2013-10-01 16:57:39,856 Collectors.3384 com.symantec.management.util.TimerThread Software feature ID: 33840101
INFO 2013-10-01 16:57:39,856 Collectors.3384 com.symantec.management.util.TimerThread Framework version: 2.50.00 seqnum: 20130207
INFO 2013-10-01 16:57:39,856 Collectors.3384 com.symantec.management.util.TimerThread Collector uses wsmanagement sensor v. 5.00.00 seqnum: 20121219
INFO 2013-10-01 16:57:39,856 Collectors.3384 com.symantec.management.util.TimerThread Collector initialization completed.
INFO 2013-10-01 16:57:39,859 Collectors.3384 com.symantec.management.util.TimerThread --------- The start is requested... ------
INFO 2013-10-01 16:57:39,860 Collectors.3384 com.symantec.management.util.TimerThread Sender started
INFO 2013-10-01 16:57:39,882 Collectors.3384 com.symantec.management.util.TimerThread Starting WorkingGroup (instance:33840101, group name: "workinggroup0")
INFO 2013-10-01 16:57:39,882 Collectors.3384 com.symantec.management.util.TimerThread ---------------- collector started. ----------------
INFO 2013-10-01 16:57:39,893 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor"...
INFO 2013-10-01 16:57:39,894 Collectors.3384.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
INFO 2013-10-01 16:57:39,894 Collectors.3384.wGroup.[workinggroup0] workinggroup0 All sensor threads (1) have been created.
WARN 2013-10-01 16:57:40,118 Collectors.3384.wGroup.[workinggroup0].Sensor.[vserver] Thread-17 Response message does not contain any data.
ERROR 2013-10-01 16:57:40,118 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-17 [Sensor: vserver] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2013-10-01 16:57:40,118 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-17 [Sensor: vserver] >>> Close sensor thread...
INFO 2013-10-01 18:22:40,221 Collectors.3384.wGroup.[workinggroup0] pool-3-thread-1 All sensors are stopped. Terminating workinggroup0 working group...
INFO 2013-10-01 18:22:40,276 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Working group is off.
INFO 2013-10-01 18:22:40,276 Collectors.3384 pool-3-thread-1 collector instance: 33840101 and its WorkingGroups are stopped
INFO 2013-10-01 18:22:40,276 Collectors.3384.aggregator.AggregatorCacheImpl pool-3-thread-1 Aggregator BUFFER has been flushed and cleared. Capacity: 0
INFO 2013-10-01 18:22:40,277 Collectors.3384 pool-3-thread-1 ---------------- collector stopped ----------------
INFO 2013-10-01 18:23:03,928 Collectors.3384 com.symantec.management.util.TimerThread Initializing collector...
INFO 2013-10-01 18:23:03,958 Collectors.3384.wGroup.[workinggroup0].Sensor.[vserver] com.symantec.management.util.TimerThread Kerberos not initialized.
INFO 2013-10-01 18:23:04,041 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread 1 translator specifications exist.
INFO 2013-10-01 18:23:04,042 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread ## Global plugin for translation was loaded
INFO 2013-10-01 18:23:04,055 Collectors.3384.wGroup.[workinggroup0] com.symantec.management.util.TimerThread Working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor" initiated (enable: true).
INFO 2013-10-01 18:23:04,056 Collectors.3384.aggregator com.symantec.management.util.TimerThread AGGREGATOR has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 18:23:04,056 Collectors.3384.filter com.symantec.management.util.TimerThread FILTER has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Configuration: test
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Product ID: 3384
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Product version: 5.0
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Product seqnum: 20120716
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Software feature ID: 33840101
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Framework version: 2.50.00 seqnum: 20130207
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Collector uses wsmanagement sensor v. 5.00.00 seqnum: 20121219
INFO 2013-10-01 18:23:04,059 Collectors.3384 com.symantec.management.util.TimerThread Collector initialization completed.
INFO 2013-10-01 18:23:04,062 Collectors.3384 com.symantec.management.util.TimerThread --------- The start is requested... ------
INFO 2013-10-01 18:23:04,064 Collectors.3384 com.symantec.management.util.TimerThread Sender started
INFO 2013-10-01 18:23:04,250 Collectors.3384 com.symantec.management.util.TimerThread Starting WorkingGroup (instance:33840101, group name: "workinggroup0")
INFO 2013-10-01 18:23:04,250 Collectors.3384 com.symantec.management.util.TimerThread ---------------- collector started. ----------------
INFO 2013-10-01 18:23:04,262 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor"...
INFO 2013-10-01 18:23:04,263 Collectors.3384.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
INFO 2013-10-01 18:23:04,263 Collectors.3384.wGroup.[workinggroup0] workinggroup0 All sensor threads (1) have been created.
WARN 2013-10-01 18:23:04,499 Collectors.3384.wGroup.[workinggroup0].Sensor.[vserver] Thread-18 Response message does not contain any data.
ERROR 2013-10-01 18:23:04,500 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-18 [Sensor: vserver] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2013-10-01 18:23:04,500 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-18 [Sensor: vserver] >>> Close sensor thread...
 

At Windows 7 i have this uvista.log

...
INFO 2013-10-01 17:28:00,705 Collectors.3384 pool-2-thread-1 ---------------- collector stopped ----------------
INFO 2013-10-01 17:28:16,744 Collectors.3384 com.symantec.management.util.TimerThread Initializing collector...
INFO 2013-10-01 17:28:16,849 Collectors.3384.wGroup.[workinggroup0].Sensor.[myhostname] com.symantec.management.util.TimerThread Realm: "local", KDCs: "mydomain.local"
INFO 2013-10-01 17:28:16,869 Collectors.3384.wGroup.[workinggroup0].Sensor.[myhostname] com.symantec.management.util.TimerThread Kerberos authentication is enabled.
INFO 2013-10-01 17:28:16,949 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread 1 translator specifications exist.
INFO 2013-10-01 17:28:16,953 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread ## Global plugin for translation was loaded
INFO 2013-10-01 17:28:16,971 Collectors.3384.wGroup.[workinggroup0] com.symantec.management.util.TimerThread Working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor" initiated (enable: tlocale).
INFO 2013-10-01 17:28:16,971 Collectors.3384.aggregator com.symantec.management.util.TimerThread AGGREGATOR has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 17:28:16,971 Collectors.3384.filter com.symantec.management.util.TimerThread FILTER has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 17:28:16,971 Collectors.3384 com.symantec.management.util.TimerThread Configuration: myhostname
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Product ID: 3384
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Product version: 5.0
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Product seqnum: 20120716
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Software feature ID: 33840101
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Framework version: 2.50.00 seqnum: 20130207
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Collector uses wsmanagement sensor v. 5.00.00 seqnum: 20121219
INFO 2013-10-01 17:28:16,972 Collectors.3384 com.symantec.management.util.TimerThread Collector initialization completed.
INFO 2013-10-01 17:28:16,977 Collectors.3384 com.symantec.management.util.TimerThread --------- The start is requested... ------
INFO 2013-10-01 17:28:16,979 Collectors.3384 com.symantec.management.util.TimerThread Sender started
INFO 2013-10-01 17:28:16,982 Collectors.3384 com.symantec.management.util.TimerThread Starting WorkingGroup (instance:33840101, group name: "workinggroup0")
INFO 2013-10-01 17:28:16,982 Collectors.3384 com.symantec.management.util.TimerThread ---------------- collector started. ----------------
INFO 2013-10-01 17:28:16,982 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor"...
INFO 2013-10-01 17:28:16,982 Collectors.3384.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
INFO 2013-10-01 17:28:16,983 Collectors.3384.wGroup.[workinggroup0] workinggroup0 All sensor threads (1) have been created.
WARN 2013-10-01 17:28:17,884 Collectors.3384.wGroup.[workinggroup0].Sensor.[myhostname] Thread-18 Response message does not contain any data.
ERROR 2013-10-01 17:28:17,885 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-18 [Sensor: myhostname] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2013-10-01 17:28:17,885 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-18 [Sensor: myhostname] >>> Close sensor thread...
INFO 2013-10-01 17:42:56,453 Collectors.3384.wGroup.[workinggroup0] pool-2-thread-1 All sensors are stopped. Terminating workinggroup0 working group...
INFO 2013-10-01 17:42:56,519 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Working group is off.
INFO 2013-10-01 17:42:56,519 Collectors.3384 pool-2-thread-1 collector instance: 33840101 and its WorkingGroups are stopped
INFO 2013-10-01 17:42:56,520 Collectors.3384.aggregator.AggregatorCacheImpl pool-2-thread-1 Aggregator BUFFER has been flushed and cleared. Capacity: 0
INFO 2013-10-01 17:42:56,521 Collectors.3384 pool-2-thread-1 ---------------- collector stopped ----------------
INFO 2013-10-01 17:43:16,883 Collectors.3384 com.symantec.management.util.TimerThread Initializing collector...
INFO 2013-10-01 17:43:17,020 Collectors.3384.wGroup.[workinggroup0].Sensor.[myhostname] com.symantec.management.util.TimerThread Realm: "local", KDCs: "mydomain.local"
INFO 2013-10-01 17:43:17,035 Collectors.3384.wGroup.[workinggroup0].Sensor.[myhostname] com.symantec.management.util.TimerThread Kerberos authentication is enabled.
INFO 2013-10-01 17:43:17,149 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread 1 translator specifications exist.
INFO 2013-10-01 17:43:17,152 Collectors.3384.wGroup.[workinggroup0].translator com.symantec.management.util.TimerThread ## Global plugin for translation was loaded
INFO 2013-10-01 17:43:17,166 Collectors.3384.wGroup.[workinggroup0] com.symantec.management.util.TimerThread Working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor" initiated (enable: tlocale).
INFO 2013-10-01 17:43:17,166 Collectors.3384.aggregator com.symantec.management.util.TimerThread AGGREGATOR has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 17:43:17,166 Collectors.3384.filter com.symantec.management.util.TimerThread FILTER has been initialized with: 0 specs. Enabled: 0, disabled: 0.
INFO 2013-10-01 17:43:17,166 Collectors.3384 com.symantec.management.util.TimerThread Configuration: myhostname
INFO 2013-10-01 17:43:17,166 Collectors.3384 com.symantec.management.util.TimerThread Product ID: 3384
INFO 2013-10-01 17:43:17,166 Collectors.3384 com.symantec.management.util.TimerThread Product version: 5.0
INFO 2013-10-01 17:43:17,166 Collectors.3384 com.symantec.management.util.TimerThread Product seqnum: 20120716
INFO 2013-10-01 17:43:17,167 Collectors.3384 com.symantec.management.util.TimerThread Software feature ID: 33840101
INFO 2013-10-01 17:43:17,167 Collectors.3384 com.symantec.management.util.TimerThread Framework version: 2.50.00 seqnum: 20130207
INFO 2013-10-01 17:43:17,167 Collectors.3384 com.symantec.management.util.TimerThread Collector uses wsmanagement sensor v. 5.00.00 seqnum: 20121219
INFO 2013-10-01 17:43:17,167 Collectors.3384 com.symantec.management.util.TimerThread Collector initialization completed.
INFO 2013-10-01 17:43:17,170 Collectors.3384 com.symantec.management.util.TimerThread --------- The start is requested... ------
INFO 2013-10-01 17:43:17,172 Collectors.3384 com.symantec.management.util.TimerThread Sender started
INFO 2013-10-01 17:43:17,175 Collectors.3384 com.symantec.management.util.TimerThread Starting WorkingGroup (instance:33840101, group name: "workinggroup0")
INFO 2013-10-01 17:43:17,175 Collectors.3384 com.symantec.management.util.TimerThread ---------------- collector started. ----------------
INFO 2013-10-01 17:43:17,175 Collectors.3384.wGroup.[workinggroup0] workinggroup0 Starting working group for sensor "com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor"...
INFO 2013-10-01 17:43:17,176 Collectors.3384.wGroup.[workinggroup0] workinggroup0 0 events were deserialized
INFO 2013-10-01 17:43:17,176 Collectors.3384.wGroup.[workinggroup0] workinggroup0 All sensor threads (1) have been created.
WARN 2013-10-01 17:43:18,037 Collectors.3384.wGroup.[workinggroup0].Sensor.[myhostname] Thread-18 Response message does not contain any data.
ERROR 2013-10-01 17:43:18,038 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-18 [Sensor: myhostname] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2013-10-01 17:43:18,038 Collectors.3384.wGroup.[workinggroup0].SensorThread Thread-18 [Sensor: myhostname] >>> Close sensor thread...
 

Please to solve this problem, thanks.

Operating Systems:

Comments 1 CommentJump to latest comment

Avkash K's picture

hi,

in above screenshots, i can see that under Auth Basic is showing true while kerberos is false.

 

Which should be reverse in your case, as you are using domain acount for authentication.

Auth

    Basic=False

    Kerberose=True

 

 

Regards,

Avkash K