WiNC remote host and account lockout
We have a WiNC connector currently configured to "pull" events from approx 50 Windows 2012 servers. We created a domain account "logpull" and added this to the EventLogReaders group on each server, and to the WiNC configs.
So far so good.
Today, this "logpull" account got locked out. The windows events logs showed the lockout source as the same host where this particular WiNC resides. Before diving into anything, we sanity checked some things, and fixed the issue by backing out a recent change to the connector's remote host list - it seems a couple new servers were added to thei WiNC, and one of these servers did not yet have the EventLogReaders group configured properly (no logpull account added). WiNC repeatedly trying to reach out to that server locked the account.
Going forward, the obvious answer might seem to be to just disable the lockout threshold on this logpull account. However, that has some implications here.
My question is - in a similar scenario, in future, if (for whatever reason) one of our WiNC hosts whacks the logpull domain account again, assuming I know which WiNC is involved, how do I quickly get into the weeds to identify the specific remote server?. I assume I need to grep thru the agent logs where WiNC is installed - and I am floundering around there today - but if anyone has any pointers to a specific log entries or other clues in WiNC, that would be really appreciated.
Thanks as always for the help....
Do you have all of the events going into Logger? If so, try running this search query...it may help with pin pointing the culprit.
destinationUserName = "XXX" AND deviceEventCategory = "Security"(externalId IN ["4625", "4626", "4627", "4628", "4629", "4630", "4631", "4632", "4633", "4625", "529", "530", "531", "532", "533", "534", "535", "536", "537", "539"]) | chart count(destinationUserName) by destinationUserName, destinationNtDomain, destinationHostName, destinationAddress, externalId, name
This is what we use for finding habitual failed logins and lock outs.
Thanks David, yes we have Logger upstream. That's a a useful query, appreciate you posting it.
I'm poking around on Logger today and I can see who the source is (it's a WiNC host server). That's the system that's locking the account - but trying to tease out which of the dozens of windows servers the WiNC agent connects to remotely is where I'm at. FYI I think I found some interesting ""Unauthorized access to endpoint System" events in the wincagent.log, now investigating those targets to see why they won't let WiNC access the event logs.
Update - I went to the server that houses WiNC, which was also the "source" of the account lockouts. I found an error / server in the wincagent.log
[<culprit_hostname>~Security] ERROR EventLogManager - Unauthorized access to endpoint System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
I validated the remote server name was correct in the WiNC table, and also verified that this remote windows server did in fact have the logpull account in the it's EventLogReaders group, etc. Things appeared to be OK.
I was thinking we might have fat-fingered the password for this entry in the WiNC table, but all hosts in the table use the same (default) domain credentials in the WiNC config, and all of them are are working without issue.
Anyway, failing to come up with any explanation as to why this one entry was causing an account lockout, I removed the entry from the WiNC remote host table, then added it back, and (so far) the error has not re-appeared, and the events are moving.
A bit of a head scratcher, but glad it is working again...
Hi, I got the same error, and my account locked out after that error. I believe I did nothing wrong, the service account and password can log in to the hosts via the event viewer. But the connector keeps lock my service account. And I use every version of WiNC connector (7.5, 7.4, 7.3, 7.2). Nothing work. This really annoyed when using Arcsight products.
Agree, it is annoying. This happened again a couple weeks ago - same issue.
What makes it a bit more aggravating is when I have multiple WinC connectors on the same server,. This source server is identified in the windows account lockout events, but then I have to search logs from multiple WinC connectors on that server to find the specific connector that's generating the error. There is probably an easier way to do this (I'm not a guru). When this happens, I need to fix it quickly, so far I haven't had time to really drill into the weeds to identify the root cause - something weird going on in the current windows environment, perhaps....
Yeah, account locked out is a night mare, I was using WUC and that problem is solved. However our org needs win10 logs, we have no choice to use the WiNC where we thought everything will work smoothly and effectively. But no, it's more pain than WUC and even I set up the Forwarded Event Logs on WEC server, the WiNC only job is go to local machine, grabbed the Forwarded logs, and it failed. (Connection can't not reach to Remote Host even though the WiNC installed in the local machine). I think HP should aware about this problem with Win10 since it comes to the market. Now nothing about Win10 I can search on the forum other than my posts. I really disappointed about Arcsight now, and we will break up with ArcSight soon. and move on with user friendly product.