Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
2143 views

Collecting Events from NTLM Operational Logs


Using WECS to try and collect the logs from the NTLM Operational log. I
am successfully getting Security logs from WECS. So I configured my
Windows devices to log the 800X events to the NTLM logs and added the
following to EventLogQuery for the event source in question:
Microsoft-Windows-NTLM/Operational,"EventCode = 8001 OR EventCode = 8002
OR EventCode 8003 OR EventCode 8004"

I have restarted the event source in the ESM as well as the WECS service
account on the device to no effect. Like I said I am successfully
getting Security logs from this device, but I can't get this logging to
work. What might I be missing?


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=55059

0 Likes
12 Replies
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


From the WECS box, can you use mmc as the WMI user (runas.exe) to read
the event log? Wonder if its ACLs...

Also try turning logging to TRACE on the WECS service to see if queries
are being performed as expected


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


ScorpionSting;263799 Wrote:
> From the WECS box, can you use mmc as the WMI user (runas.exe) to read
> the event log? Wonder if its ACLs...
>
> Also try turning logging to TRACE on the WECS service to see if queries
> are being performed as expected


I was able to read the event log with WECS account from the WECS box
with no issue.

The swecs.log does show an error however which I neglected to mention
earlier:
> 2015-12-29 16:32:41,692|STP SmartThreadPool Thread #98|INFO|Opening
> connection 29342B40-BE87-1032-B0B0-B3A55BB4F422 to
> \\targetserver\root\cimv2 (encrypted: True)
> 2015-12-29 16:32:41,879|STP SmartThreadPool Thread #98|ERROR|Task
> (29342B40-BE87-1032-B0B0-B3A55BB4F422:QueryHistory-Microsoft-Windows-NTLM/Operational@targetserver)
> : WMI failed fetching query results
> SemiSync|ErrorCode:(InvalidQuery)(Operation:ExecQuery)(ParameterInfo:Select
> * from Win32_NTLogEvent Where Logfile =
> 'Microsoft-Windows-NTLM/Operational' AND (EventCode = 8001 OR EventCode
> = 8002 OR EventCode 8003 OR EventCode 8004) AND TimeWritten >=
> '20151225151641.000000+000' AND TimeWritten <=
> '20151225153141.000000+000')(ProviderName:WinMgmt)| at
> System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus
> errorCode)
> at
> System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
> at
> Novell.Sentinel.Windows.EventManagement.Tasks.QueryTask.FetchQueryResults(ManagementObjectSearcher
> mos)
> 015-12-29 16:32:41,879|STP SmartThreadPool Thread #98|WARN|Notify client
> error : 2##29342B40-BE87-1032-B0B0-B3A55BB4F422##10.XX.XX.XX##Invalid
> query


I tried different queries with no luck. I confirmed the full name for
the log in question and patterned the query according to the
documentation.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=55059

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


Could you please also confirm the version of WMI Connector, Microsoft
Collector, and Sentinel you're using?

Wonder if its a WMI access issue....


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


ScorpionSting;263825 Wrote:
> Could you please also confirm the version of WMI Connector, Microsoft
> Collector, and Sentinel you're using?
>
> Wonder if its a WMI access issue....


We are working on upgrading, so we are behind on versions:
Sentinel 7.1.2.0
WMI 2011.1r2
Microsoft Active Directory and Windows 2011.1r3

Also I tried the revised query. Thanks for the catch. The fixed the
invalid query error. I am guessing its WMI access as well then.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=55059

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


What is the WECS log saying now, at TRACE, when it tries to query?

You could try running wbemtest as the WECS user and performing the query
from the WECS log manually to see if there is something more verbose in
the output.


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


No errors in swecs.log

Running wbemtest using the WECS account with the following query:
Select * from Win32_NTLogEvent where Logfile =
'Microsoft-Windows-NTLM/Operational'

Returning no errors but also no logs. I can confirm events in the event
viewer.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=55059

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


Yeah, does sound like ACL's..... Don't forget to update your reg file
with a CustomSD for the log in question....


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


Thanks for the tip. I went to update the reg file and I cannot find a
customSD for this log. This is under the Applications and Services Logs
which is not the same as the Application Log. I am scouring the
registry to find this, but none of the logs under Applications and
Services logs heading seem to present.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=55059

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


Okay, one step back.... Through Event Viewer, can you find events
(EventID's: 8001 - 8004) in the event log?


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


ScorpionSting;264010 Wrote:
> Okay, one step back.... Through Event Viewer, can you find events
> (EventID's: 8001 - 8004) in the event log?


Yes I can.


--
psmcgovern
------------------------------------------------------------------------
psmcgovern's Profile: https://forums.netiq.com/member.php?userid=5730
View this thread: https://forums.netiq.com/showthread.php?t=55059

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


I found this reg key....


Code:
--------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-NTLM/Operational
--------------------


There is a REG_SZ called ChannelAccess that appears to be the
ACL's...you could try a CustomSD within this key (not sure if APIs will
read and action) - or try carefully tweeking the ChannelAccess....


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Collecting Events from NTLM Operational Logs


I've found your problem....used wbemtest to help me...

You have:

Code:
--------------------
Microsoft-Windows-NTLM/Operational,"EventCode = 8001 OR EventCode = 8002 OR EventCode 8003 OR EventCode 8004"
--------------------


Try correcting it to:

Code:
--------------------
Microsoft-Windows-NTLM/Operational,"EventCode = 8001 OR EventCode = 8002 OR EventCode = 8003 OR EventCode = 8004"
--------------------


😄


--
-"Also now available in 'G+'
(http://plus.google.com/+BenWalter-Kiwi) and 'Website'
(https://www.isam.kiwi/) format".- 😉
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=55059


Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.