Community in read only mode June 18 & 19
This community will be set in READ ONLY mode for a while on Tuesday June 18 into Wednesday June 19 while we import content and users from our Micro Focus Forums community site. MORE INFORMATION
Contributor.. anchalj191 Contributor..
Contributor..
346 views

Service User account rites for pulling the logs from window servers

Hi ,
Good Day!
We are trying to integrate the the windows devices to Win_native connector, while trying to connect to the end device (windows server) via service account (also added in the event log reader group) it is throwing the error "Access denied(5)" for service account user.

Please let us know what exactly rites are required for pulling the windows logs for service account user.

Thanks in advance,
AJ

0 Likes
7 Replies
Micro Focus Expert
Micro Focus Expert

Re: Service User account rites for pulling the logs from window servers

Are the native Windows Connector connecting directly to servers itself, or are you sending all logs to a Windows Event Collector and using the Windows Connector to pull logs from that?

The correct rights should be in the documentation here:

https://community.microfocus.com/t5/ArcSight-Connectors/SmartConnector-for-Microsoft-Windows-Event-Log-Native/ta-p/1585123

Starting from Page 13.

Is both servers in the same domain, or is this local authentication?

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
Contributor.. anchalj191 Contributor..
Contributor..

Re: Service User account rites for pulling the logs from window servers

Hi Marius,

Thanks for the response!

We have installed the Arcsight smart connector native for collecting the logs from windows server. 
Using fully qlualified host name , user and password. 
Which logically connects to event viewer of the integrated server that pulls the logs to connectors.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Service User account rites for pulling the logs from window servers

Does this then use domain authentication? If it does, is both the connector server and windows server in the same domain, or are you using a local service account?
-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Service User account rites for pulling the logs from window servers

Hi,

Could you please tell me if the servers you mention are setup into the same windows domain (which is also the same of your WEC if you use it) ?
Because, if not, it is more complex, you need to use Certificates!

We have succeeded to retrieve all Windows logs & Sysmon logs from 50000 workstations in using 2 WiNC SmartConnectors and 10 WECs.

Your problem of access denied is maybe due to this:WiNC.PNG

From p13 to p15 in the SmartConnector Guide as mentioned by Marius.

Collecting logs from Workstations or from Servers are excatly the same thus I think I can help.
If you have any problem or question to setup such infra, do not hesitate.

 

Thanks
Kind regards

Michael

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Service User account rites for pulling the logs from window servers

In addition to the documentation that @Marius2 pointed to, please check out my guide on setting this up: Collecting Windows Event Logs Using Windows Event Forwarding

0 Likes
Contributor.. anchalj191 Contributor..
Contributor..

Re: Service User account rites for pulling the logs from window servers

Thanks Michel and Steve, i m checking the things as refred in the document and attached image will share the result if it get resolved and Sure! will be reachging back if needed without any hesitation. 

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: Service User account rites for pulling the logs from window servers

Hi Anchalj191,

 

Form the connector host, could you please launched the following command:

netstat -n | findstr "ESTABLISHED"

You should see the Windows Servers IPs with port TCP 135 and TCP 49153 (or increased by 1)

It is just to confirm that everything is ok regarding the network and the port. I want to be sure the connector has successfully accessed the Windows Servers.
How many Windows Servers do you need to retrieve logs from because it is a huge number like above 100, the comment of Steve-m is really good, it is recommended to use a WEC in that case.
I can help on this also as it is what I am using to retrieve logs from 50000 Workstations.

Could you please tell us if it is OK?

Thanks
Kind regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.