Video Screencast Help

Unable to fetch logs remotely...

Created: 07 Apr 2012 • Updated: 02 Jul 2013 | 8 comments
This issue has been solved. See solution.

Hi All,

I am unable to fetch logs remotely from one server. I have used OFFBOX stratergy where on one windows server I have instaled Event Agent and collector and through domain id I am trying to fetch the logs from the target server remotely.

Please find the error below i received....

------------------------------------------------------

ERROR 2012-04-07 16:08:58,138 Collectors.3105.wGroup.[workinggroup0].Sensor.[Ip address] Thread-31 abc.domain.com:Application Reader can not access registry on target box, ERROR_CODE[5]: RegOpenKeyEx. Make sure user DOMAIN\USERID has permissions to access registry on TARGET SERVERNAME.Domain.com.
ERROR 2012-04-07 16:08:58,138 Collectors.3105.wGroup.[workinggroup0].SensorThread Thread-31 [Sensor: IP ADDRESS] All readers in the sensor failed to open target logs due to unrecoverable errors. Closing the sensor.
com.symantec.cas.ucf.sensors.OpenDeviceException: All readers in the sensor failed to open target logs due to unrecoverable errors. Closing the sensor.
 at com.symantec.cas.ucf.sensors.windows.WindowsEventlogSensor.OpenDevice(WindowsEventlogSensor.java:366)
 at com.symantec.cas.ucf.collector.SensorJob.openSensor(SensorJob.java:156)
 at com.symantec.cas.ucf.collector.SensorJob.run(SensorJob.java:290)
 at java.lang.Thread.run(Thread.java:619)

------------------------------------------------------

Request a resolution ASAP....

Comments 8 CommentsJump to latest comment

DavidZ's picture

the answer is in your log, Make sure user DOMAIN\USERID has permissions to access registry on TARGET SERVERNAME.Domain.com.

have a look at this, might help understanding. http://www.symantec.com/business/support/index?page=content&id=TECH153517

David

 

dz

Shahnawaz K's picture

Hi David,

Evrything is perfect, then also it is showing same error. Case has been opened with Tech Support from back 1 and half month with no success still...

antilles's picture

Hi,

Error that you provided tells that collector cannot open Application event log.
Have you tried connect to Security event log, if yes, did you received the same error?

What are permissions of user account used to establish connection to remote machine?
In my opinion, If you really want to read logs other than Security then you have two options in Windows 2003:
1) use account which is member of Administrators group on target machine
2) define custom security descriptor for domain user in the registry of target machine, which allows access to other event logs for non-admin account.

And one more question, but I'm sure that support already asked about this - do you have latest live updates installed on the collector?

Regards

Laurent_c's picture

Simple test (it doesn;t always means it works):

Open Regedit as the user you are using in credential.

Connect to remote machine

See what message you get.

Same using MMC and event view if you run it under a user and try to open the remote machine, It gives you an idea if you have the right or not.

olaf's picture

Can you check the permissions for the below registry key?

1.Click Start, click Run, type regedit, and then click OK.

2.Expand the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers

3.Right-click winreg, and then click Permissions.

What permissions are set on the winreg key?

olaf's picture

Concerning the post of antilles to use security descriptor, please take a look at the following Microsoft KB:

http://support.microsoft.com/kb/323076

 

Tush_B's picture

As you have listed you have done every configration on remote server also you have configured every policy.

As there is nothing installed from symantec product , you just have one user who is trying to fetch logs from remote server.

Try to rolback all configration on remote server, and reconfigure as given by symantec.

It might solve your probleam.

SOLUTION
Shahnawaz K's picture

Yes Tush,

We have done that only and the issue get resolved.

Anywayz Thanks to all of you guyz to support throughtout the case.