Highlighted
New Member.
598 views

Windows server 2003 logs forwarding

Hi guys,

I really need help here, how do i actually forward logs from windows server 2003 to smart connector. For windows server 2008 all i need to do is assign user to "Event Log Readers" how bout windows server 2003? I tried assigning Administrator access to my arcsight user in windows server 2003 still no luck my smartconnector cannot connect to the server.

I'm using Microsoft Windows Event Log – Unified smartconnector and both server can communicate no issue.

Help please.

0 Likes
Reply
7 Replies
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Windows server 2003 logs forwarding

There are few things you need to take care of:

1. Check the network port from Windows Server----> Connector on TCP port 445. Try telnet from Connector server to windows server.

2. Check whether the arcsight user is added under "Manage auditing and security log". This option can be found under: Administrative tools--> Security Settings --> Local Policies --> User Rights Management.

3. And also check whether the rpc service is running on the windows server.

Regards,

Anirudh

0 Likes
Reply
Highlighted
New Member.

Re: Windows server 2003 logs forwarding

Hi Anirudh,

Thanks for the reply, i did a test

1. I was able to telnet from connector server to the windows server

2. User already added to Manage auditing and security log

3. rpc service is running

What else do I need to check?

0 Likes
Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Windows server 2003 logs forwarding

Is it possible for you to check whether the user is able to view the security logs?

Login to the windows server with that user and then -->Start--> Run--> eventvwr--> Click on Security and see whether you are able to view them?

and also try this once you are done with enabling the auditing:

  GPUpdate /Force

How do you define your username: whether its in the following format: (DomainName\UserName) ?

If everything is good then I would like to see the agent log to identify the error.

Regards,

Anirudh

0 Likes
Reply
Highlighted
New Member.

Re: Windows server 2003 logs forwarding

Hi Anirudh,

I remote to the machine using the user created and was able to access no issue and was able to run eventvwr and was able to view the security logs, performed the GPUpdate /Force and retry from connector still no luck.

Because this server is not connected to any domain and the user is a local user so "Domain" field is empty and "UserName" field is the "userID" I also tried using "serverName\UserID" no luck as well. I tried other servers that is not connected to domain and uses local user account, was able to collect logs but this server I'm not able to collect.

In the agent.log I'm receiving error

Logon failure: the user has not been granted the requested logon type at this computer.

What to do next?

0 Likes
Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Windows server 2003 logs forwarding

Try adding the user under Adinistrator group and also to the Backup Operator group.

Please check whether the firewall of the Windows server is disabled. I have also attached the logbaseline document for your reference.

0 Likes
Reply
Highlighted
Outstanding Contributor.
Outstanding Contributor.

Re: Windows server 2003 logs forwarding

Document attached

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Windows server 2003 logs forwarding

Hi Albert,

I am not able to add non domain servers to connectors.. it gives me error as "connector parameters could not parse.. cannot connect to 10.x.x.x

as domain field is blank... Please help

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.