Troubleshooting Windows remote Event/Log Collection.(IBM Wincollect, Logrhythm SMA)

-

Contents




Introduction
1.Connect remotely from EventViewer
2.Check Network Connection
3.Check Account Permissions
4.Check Local Firewall
5.Check Auditing

Introduction


Below are troubleshooting steps that can be followed to identify and fix the issues.

1.Connect remotely from Eventviewer

From Wincollect/SMA connect to remote computer using Event Viewer:
In the Event Viewer console, right-click Event Viewer (Computer name), where computer name is the name of the computer you are connected to.

Select Connect to Another Computer.

    
Type the computer name of the other computer, e.g. GBR-DC1, and check the box Connect as another user: <none>.
Now you can provide the credentials for a user that has access to the remote computer, e.g. GBR.local\SVC_ACNT.


You will be able to see the logs on remote computer after this step, or will see an error if you see error follow below steps.

2.Check network connection

Check if below ports are open from Wincollect/SMA to the remote computer:               

ID#

From-Win Collector

To- Windows Server

Port

Protocol

Description

Service Required For

1

Wincollect/SMA

Windows Server

135

TCP

DCOM

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

2

Wincollect/SMA

Windows Server

137

UDP

Windows NetBIOS
name service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

3

Wincollect/SMA

Windows Server

138

UDP

Windows NetBIOS
datagram service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

4

Wincollect/SMA

Windows Server

139

TCP

Windows NetBIOS
session service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

5

Wincollect/SMA

Windows Server

445

TCP

Microsoft Directory
Service

This traffic is generated by the following log source protocols:
• WinCollect
• Microsoft Security Event Log Protocol
• Adaptive Log Exporter

6

Wincollect/SMA

Windows Server

49152-65535

TCP

Default dynamic port range for TCP/IP

Default dynamic port range for TCP/IP

If any of these ports are not open then network team shall see if firewall is blocking it. Raise a requests to allow these ports.

3.Check Account permissions

Required permissions:

The log source user must be a member of the Event Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

Windows XP and 2003 operating system users require read access to the following registry keys


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft Windows\CurrentVersion


4. Check Local Firewall Rules

If all the ports are open check local firewall on remote computer, if the firewall is on check if below rules are allowed:

COM+ Network Access (DCOM-In)


Remote Event Log Management (NP-In)
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)



Windows Management Instrumentation (ASync-In)
Windows Management Instrumentation (DCOM-In)
Windows Management Instrumentation (WMI-In)

 


5.Check Auditing

After following all the steps above try connecting to remote computer using event viewer from
Wincollect/SMA again. If you are able to connect using Event viewer and do not see real time events that will mean the auditing is not setup as per recommendations by Microsoft on that server.

If everything is fine please check auditing on the server by using below command:

auditpol /get /category:*

Verify if auditing is enabled according to strong recommendations by Microsoft as per below link:



Please note that if windows server is not setup as per minimum recommendations (For hardware, RAM and CPU) from Microsoft these can impact the performance.

Comments

Post a Comment

Popular posts from this blog

Microsoft Sentinel - Ingest Data to Log Analytics Workspace using Azure Function.

-
How to ingest logs to Log Analytics using API? Introduction This article is going to talk about how you can utilize Azure function and a python script to ingest log data to Log Analytics workspace. I have got this knowledge from various Microsoft learn documentation and blogs. Reader Must have knowledge of following skills and concept: 1.     Azure Fundamentals. 2.     Azure Functions, how to deploy using VS Code. 3.     Azure Sentinel and Log Analytics, how it works. 4.     How API works. 5.     Basic Python programming knowledge. Prerequisites Before you begin, make sure that you have the following requirements in place: MS Sentinel and Log Analytics ·         An Azure account with an active subscription.  Create an account for free . ·         Microsoft Sentinel and Log Analytic...
Read more