My goal is to query to a remote windows host for windows event logs with SIEM Collector Agent. For testing im using a domain admin user, but i cant finish the configuration, because of this error message:
Theres no firewalls or kind of stuff. At the other side no sign of any logon attempts by the user. Is there anything special what need to be enabled on the remote side?
Let's start from somewhere.
First be sure that you have tried to use IP and Netbios for the Host just to be sure that it's not DNS issue.
Otherwise try this solution fronm the help content.
If you are unable to connect to a remote host and you have all the correct credentials, check the Network Security: LAN Manager authentication levels for both devices. To do this:
|1.||Access Network Security: LAN Manager authentication level (Administrator Tools > Local Security Policy (or Domain) > Local Policies > Security Options > Network Security: LAN Manager authentication level).|
|2.||Make sure that both the machine running the service and the remote host are using the same value.|
Thank you for your response! I've already tried the solution suggestion from the help content, but still no success. As you can see on the screenshot, at this point the host validation was successful (by IP address). But when the agent tries to query for available eventlog containers, the query fails. It must be a something about special privileges or i dont know. The user is a built in domain admin as you can see, of course the remote host also a domain member.
Check the following log during the time you try to connect:
C:\Program Files (x86)\McAfee\Windows Event Collector\debug.log
There should be clear indication what is happening.
I'm using Full Diagnostic logging level (debug) everywhere, but it seems the service does not logs the activites from host's with unsaved configurations. The debug.log file remians unchanged while the agent tries to query the remote host during the configuration.
Most of the time when I see this, I usually don't have the right password for the admin id. Just make sure you can login to the pc/server with that id.
Not sure if this issue has been resolved but ensure that the Admin account is apart of the Event Log Readers group. With some SIEMs, this is still a requirement even with domain admin accounts.