Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

WINDOWS 7 COLLECTOR SSIM

Created: 19 Aug 2012 • Updated: 02 Oct 2012 | 15 comments
sviridov's picture
This issue has been solved. See solution.

when there will be official support?

Comments 15 CommentsJump to latest comment

Laurent_c's picture

Do you mean supporting collection from a Windows 7 machine ? (if so this is including in the WinRM collector for Windows Vista/7/Win2k8)

OR installing an Agent and Collector on a Windows 7 machine ?

sviridov's picture

with the what help of collector can collect logs from Windows7 (If the agent is installed on windows 2003)

All my posts are made by google translator!

KathyV's picture

You can use Windows Vista collector to collect logs from Windows 7 machine. Make sure the WinRM is configured properly and the collection box and Windows 7 machine have to be in the same domain.

sviridov's picture

me did not succeed to use the Windows Vista collector:

if you use the collector "Microsoft_Windows_Event_Collector_4.3.30_AllWin_EN", there is no description of the events

All my posts are made by google translator!

Laurent_c's picture

The Microsoft Windows collector 4.3 is to collect event from Windows 2003 or earlier.

It is recommended to use the :

Microsoft Windows Vista & Microsoft Windows Server 2008 Event Collector v4.4.x 

As previouosly said, the requirement is to use winrm.

Laurent

Avkash K's picture

Hi,

Refer below links, which will help you configure windows vista collector for log collection from windows 2008 as well as windows 7

Windows 2008 & 2008 R2 SSIM Integration Consolidated - (Graphical).:

https://www-secure.symantec.com/connect/articles/windows-2008-2008-r2-ssim-integration-consolidated-graphical

Installation & Troubleshooting Articles for Windows 2008 vista collector - SSIM:

https://www-secure.symantec.com/connect/articles/installation-troubleshooting-articles-windows-2008-vista-collector-ssim

Regards,

Avkash K

sviridov's picture

I have a PC with Windows 7 (not a domain), the agent is installed on it

all made in the first article:

1. firewall is off:

2. Add user ssimtest01 id and NT Authority\Network Service into members of “Event Log Readers” group:

3. winrm get winrm/config:

4. winrm enumerate winrm/config/Listener

Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 192.168.12.203, ::1, fe80::5efe:192.168.12.203%12

5. wevtutil gl security

C:\Windows\system32>wevtutil gl security
name: security
enabled: true
type: Admin
owningPublisher:
isolation: Custom
channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A
;;0x1;;;S-1-5-20)(A;;0x1;;;NS)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\security.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1

6.SSIM Sensor Configuration for OFF BOX Collection

error in the logs:

ERROR    2012-09-21 11:46:50,888    Collectors.3301.wGroup.[workinggroup0].Sensor.[armwin7]    Thread-16    Subscription error. Details: java.io.IOException: Unauthorized access. Status: 401. It is possible you provided incorrect Kerberos configuration.
ERROR    2012-09-21 11:46:50,888    Collectors.3301.wGroup.[workinggroup0].SensorThread    Thread-16    [Sensor: armwin7]    Sensor thread failed to open device. Trying to reopen...
 

All my posts are made by google translator!

Laurent_c's picture

Hi,

your Kerberos setting are:

Basic = False

Kerberos =True

if as you say the machine is in a workgrooup, you need to change this.

You need:

Basic = True

Kerberos = False

SOLUTION
sviridov's picture

Can I install Microsoft_Vista_and_Win_2008_Svr_v4.4.11 Collector on a computer Windows 2003 for remote collect logs from Windows 7

All my posts are made by google translator!

olaf's picture

Yes, that should work and is supported.

sviridov's picture

I installed the collector on windows 2003 server:

in file msvista.log the following error:

ERROR 2012-10-02 10:52:54,898 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-1540 [Sensor: 2003-armwin7_2] Number of authentication errors in sensor exceeded maximum specified for this collector.
INFO 2012-10-02 10:52:54,898 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-1540 [Sensor: 2003-armwin7_2] >>> Close sensor thread...
 

All my posts are made by google translator!

olaf's picture

Are you sure about the Monitored Host Account Name?

In last screenshot it is ssimtwst01, in earlier screenshot it is ssimtest01.

sviridov's picture
oops, thanks
in attachment new errors
AttachmentSize
msvista.zip 2.05 KB

All my posts are made by google translator!

olaf's picture

Can you try the following?

Add a switch to the ses_work.properties to force the collector to see System Encoding as UTF-8.

The switch is -Dfile.encoding\=UTF-8 and you add it to the end of the System.AgentParams line.

For example:

System.AgentParams=-server -XX\:NewRatio\=3 -Xmx512m -Dnetworkaddress.cache.ttl\=300  -Dfile.encoding\=UTF-8

sviridov's picture

Yes, it works!!!!

as it may affect the performance of other collectors?

All my posts are made by google translator!