Admiral Admiral
Admiral
1822 views

WiNC remote host and account lockout

Hi all,

We have a WiNC connector currently configured to "pull" events from approx 50 Windows 2012 servers.  We created a domain account "logpull" and added this to the EventLogReaders group on each server, and to the WiNC configs.

So far so good.

Today, this "logpull" account got locked out.  The windows events logs showed the lockout source as the same host where this particular WiNC resides.  Before diving into anything, we sanity checked some things, and fixed the issue by backing out a recent change to the connector's remote host list  - it seems a couple new servers were added to thei WiNC, and one of these servers did not yet have the EventLogReaders group configured properly (no logpull account added).  WiNC repeatedly trying to reach out to that server locked the account.

Going forward, the obvious answer might seem to be to just disable the lockout threshold on this logpull account.  However, that has some implications here.

My question is - in a similar scenario, in future, if (for whatever reason) one of our WiNC hosts whacks the logpull domain account again, assuming I know which WiNC is involved, how do I quickly get into the weeds to identify the specific remote server?.  I assume I need to grep thru the agent logs where WiNC is installed - and I am floundering around there today - but if anyone has any pointers to a specific log entries or other clues in WiNC,  that would be really appreciated.

Thanks as always for the help....

Labels (1)
0 Likes
6 Replies
Vice Admiral
Vice Admiral

Do you have all of the events going into Logger? If so, try running this search query...it may help with pin pointing the culprit.

destinationUserName = "XXX" AND deviceEventCategory = "Security"(externalId IN ["4625", "4626", "4627", "4628", "4629", "4630", "4631", "4632", "4633", "4625", "529", "530", "531", "532", "533", "534", "535", "536", "537", "539"]) | chart count(destinationUserName) by destinationUserName, destinationNtDomain, destinationHostName, destinationAddress, externalId, name

This is what we use for finding habitual failed logins and lock outs.

0 Likes
Admiral Admiral
Admiral

Thanks David, yes we have Logger upstream.  That's a a useful query, appreciate you posting it.

I'm poking around on  Logger today and I can see who the source is (it's a WiNC host server).  That's the system that's locking the account - but trying to tease out which of the dozens of windows servers the WiNC agent connects to remotely is where I'm at.  FYI I think I found some interesting ""Unauthorized access to endpoint System" events in the wincagent.log, now investigating those targets to see why they won't let WiNC access the event logs. 

0 Likes
Admiral Admiral
Admiral

Update - I went to the server that houses WiNC, which was also the "source" of the account lockouts.  I found an error / server in the wincagent.log

[<culprit_hostname>~Security] ERROR  EventLogManager - Unauthorized access to endpoint System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.

I validated the remote server name was correct in the WiNC table, and also verified that this remote windows server did in fact have the logpull account in the it's EventLogReaders group, etc.  Things appeared to be OK.

I was thinking we might have fat-fingered the password for this entry in the WiNC table, but all hosts in the table use the same (default) domain credentials in the WiNC config, and all of them are are working without issue.

Anyway, failing to come up with any explanation as to why this one entry was causing an account lockout, I removed the entry from the WiNC remote host table, then added it back, and (so far) the error has not re-appeared, and the events are moving.

A bit of a head scratcher, but glad it is working again...

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi, I got the same error, and my account locked out after that error. I believe I did nothing wrong, the service account and password can log in to the hosts via the event viewer. But the connector keeps lock my service account. And I use every version of WiNC connector (7.5, 7.4, 7.3, 7.2). Nothing work. This really annoyed when using Arcsight products.

0 Likes
Admiral Admiral
Admiral

Agree, it is annoying.  This happened again a couple weeks ago - same issue.

What makes it a bit more aggravating is when I have multiple WinC connectors on the same server,.  This source server is identified in the windows account lockout events, but then I have to search logs from multiple WinC connectors on that server to find the specific connector that's generating the error.   There is probably an easier way to do this (I'm not a guru).  When this happens, I need to fix it quickly, so far I haven't had time to really drill into the weeds to identify the root cause - something weird going on in the current windows environment, perhaps....

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Yeah, account locked out is a night mare, I was using WUC and that problem is solved. However our org needs win10 logs, we have no choice to use the WiNC where we thought everything will work smoothly and effectively. But no, it's more pain than WUC and even I set up the Forwarded Event Logs on WEC server, the WiNC only job is go to local machine, grabbed the Forwarded logs, and it failed. (Connection can't not reach to Remote Host even though the WiNC installed in the local machine). I think HP should aware about this problem with Win10 since it comes to the market. Now nothing about Win10 I can search on the forum other than my posts. I really disappointed about Arcsight now, and we will break up with ArcSight soon. and move on with user friendly product. 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.