Windows Native Connector 8.2 not pulling logs when installed in Windows Server 2019

Hello to all,

I have faced several issues when installing windows native connectors in Windows Server 2019. I have tested that these issues are faced when arcsight connector version 7.15 to 8.2 are installed.

The issue is that the Windows Native connector does not persistently pull logs from windows endpoints, whether they are in a domain or standalone. I get to see the First Event from some windows endpoints and sometimes it does pull couple of logs but there is no persistency in log collection, and I continuously see the error "ERROR  EventLogManager - Couldn't connect to endpoint System.Diagnostics.Eventing.Reader.EventLogException: The RPC server is unavailable".

I have come to this conclusion by installing the WINC connector in the same environment but on Windows Server 2016, where I see no delay or errors or any other issues in log collection. Apart from that there is an issue when ever I want to edit the file, I see an error that I do not have the sufficient permissions even though I have the Local Administrator and Domain Administrator privileges.

Kindly advise if anyone else has faced such issues.

  • Are you pulling logs or using WEC? are the firewall rules the same on both the 2016 and 2019 host? I haven't experienced issues but we mostly use WEC nowadays to get Windows events in.

    Also even if you are logged in with those privilege's doesn't mean the program you are trying to open the files with are run with those privilege's so you will need to run notepad or whatever as admin to open the files.

  • Actually... yes I see the same issue.  My observation came after wanting to replace a legacy VM with a new host (latest OS etc).  I have new and old hosts running in "parallel" because the new instance on 2019 is doing *exactly* the same thing you mention.  In this instance, not using WEC.

    And yes, these versions of the WINC force ACLs in code with the view of this being a more hardened configuration.

    In my case netstat -an can be used to confirm that the agent is reaching out to the target hosts, but for whatever reason the events arent processing/getting to the destination.