cancel
Showing results for 
Search instead for 
Did you mean: 

SIEM Collector (Windows Agent) query to remote windows host for event logs

Hi!

My goal is to query to a remote windows host for windows event logs with SIEM Collector Agent. For testing im using a domain admin user, but i cant finish the configuration, because of this error message:

error.jpg

Theres no firewalls or kind of stuff. At the other side no sign of any logon attempts by the user. Is there anything special what need to be enabled on the remote side?

7 Replies

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Hi ,

Let's start from somewhere.

First be sure that you have tried to use IP and Netbios for the Host just to be sure that it's not DNS issue.

Otherwise try this solution fronm the help content.



If you are unable to connect to a remote host and you have all the correct credentials, check the Network Security: LAN Manager authentication levels for both devices. To do this:

1.Access Network Security: LAN Manager authentication level (Administrator Tools > Local Security Policy (or Domain) > Local Policies > Security Options > Network Security: LAN Manager authentication level).

2.Make sure that both the machine running the service and the remote host are using the same value. 

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Hi ,

Thank you for your response! I've already tried the solution suggestion from the help content, but still no success. As you can see on the screenshot, at this point the host validation was successful (by IP address). But when the agent tries to query for available eventlog containers, the query fails. It must be a something about special privileges or i dont know. The user is a built in domain admin as you can see, of course the remote host also a domain member.


Thank you!

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Hi Pamuk,

Check the following log during the time you try to connect:

C:\Program Files (x86)\McAfee\Windows Event Collector\debug.log

There should be clear indication what is happening.

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Hi Alexander
I'm using Full Diagnostic logging level (debug) everywhere, but it seems the service does not logs the  activites from host's with unsaved configurations. The debug.log file remians unchanged while the agent tries to query the remote host during the configuration.

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Hm,

If you have performed all steps we've discussed i can suggest that you open a case with McAfee.

paider
Level 7
Report Inappropriate Content
Message 7 of 8

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Most of the time when I see this, I usually don't have the right password for the admin id.  Just make sure you can login to the pc/server with that id.

Highlighted
btkarp
Level 9
Report Inappropriate Content
Message 8 of 8

Re: SIEM Collector (Windows Agent) query to remote windows host for event logs

Not sure if this issue has been resolved but ensure that the Admin account is apart of the Event Log Readers group. With some SIEMs, this is still a requirement even with domain admin accounts.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community