Hey everyone. New to the forums but I have been working with the siem for around 1.5 years now. I am having some issues with the windows agent and im not sure where to look. Im hoping you all might be able to help or atleast point me in the right direction. I tried searching around a bit and couldnt really find what I was looking for. Anyway, here is the issue.
I have a mcafee windows agent installed on a machine fowarding windows WMI logs to the siem. The windows agent seems to be working perfectly until I noticied I was not receiving any logs from the devices. The agent debug.log file helps verify the story. The pictures and log below will help explain the issue.
As you can see in the picture below, i am able to select which WMI logs i would like to receive with the agent. This verifys that i have the correct credentials and i am infact able to connect to the machine.
Here is the log i am seeing in the agent's "debug.log"
<134>1 Jun 26 14:12:27 PC1029 McAfeeEventCollector: INFO 10 Init Plugin initializing
<131>1 Jun 26 14:12:27 PC1029 McAfeeEventCollector: ERROR 10 GetTargetVersion Failed to retrieve windows version for target machine: 192.168.13.21
<134>1 Jun 26 14:12:27 PC1029 McAfeeEventCollector: INFO 10 Init Loaded plugin: Plugins\Win32EventLog.dll
<131>1 Jun 26 14:12:27 PC1029 McAfeeEventCollector: ERROR 10 Init Failed to make remote connection: Remote connection failed with error: A specified logon session does not exist. It may already have been terminated
<132>1 Jun 26 14:12:27 localhost McAfeeEventCollector: WARN 0 ShutdownPluginWatcher Failed to initialize the plugin(windows)[McAfee.EventCollector.WindowsEventPlugin.dll], try 26
<135>1 Jun 26 14:12:27 localhost McAfeeEventCollector: DEBUG 0 ShutdownPluginWatcher Initializing plugin(windows)[McAfee.EventCollector.WindowsEventPlugin.dll]
Im not really sure where to go with this. From the log messages, it seems it would be an issue within windows or windows policy.
Have any of you experienced this issue before or can give me some pointers. I am not real great with microsoft windows policies.
Any help would be greatly appreciated. Thanks!