Highlighted
Contributor.
Contributor.
133 views

Collecting events when logging on via kerberos

Hello, everybody!

I use ArcSight WinC Connector  Version: 7.11.0.8139.0

I am trying to configure the event collection from the domain controller.
The controller uses kerberos authentication. In the agent.properties configuration file I set the
authentication to kerberos. But the connection does not go through and I get a log error:
<ArcSight Connector Version: 7.11.0.8139.0>
<ArcSight Parser Version: 7.11.0.8139.0>
[2020-09-15 12:08:31,986][ERROR][default.com.arcsight.agent.util.m][createParameterVerificationMessage] Error [Encountered [3] errors for command [GetLogAccessValidationResult].
Host: [dc1.qwe.local]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EventLog: [System], Reason: [Cannot retrieve log info: [javax.xml.ws.WebServiceException: Could not send Message.]]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EventLog: [Application], Reason: [Cannot retrieve log info: [javax.xml.ws.WebServiceException: Could not send Message.]]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EventLog: [Security], Reason: [Cannot retrieve log info: [javax.xml.ws.WebServiceException: Could not send Message.]]]. Possible Solution []

Port 5986 is open for communication, no problems on the network lock side.
I use CentOS 7.6. The krb5.conf configuration file is configured and I successfully get the ticket by running command kinit user_name@QWE.LOCAL

Can you tell us what the problem may be and how to solve it?

0 Likes
4 Replies
Highlighted
Super Contributor.
Super Contributor.

You're running the WiNC on SmartConnector CentOS 7.6?  From the WiNC SmartConnector configuration guide that set up is not supported.

https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-MS-Windows-Event-Log-Native-SmartConnector/ta-p/1585123

SmartConnector for Windows Event Log - Native Limitations

Runs only on Windows; it cannot be run on Management Center, Connector Appliance, or Linux/Unix OS, although it can be remotely managed from Management Center

0 Likes
Highlighted
Contributor.
Contributor.

Excuse me, I missed the titles)))

I use: Windows SmartConnector Config (commonly known as WiSC) is a Linux-based SmartConnector
that collects logs from Windows hosts. 

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Hi
i would strongly recommend you avoid using WISC / WINC on Linux - it is not stable and you will lose events. Have a look at the release notes for the limitations.

Try to use a Windows Server to host a WINC, you will regret trying to get WISC working!

0 Likes
Highlighted
Contributor.
Contributor.

Ok, thanks.

 
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.