Troubleshooting
Problem
When QRadar is trying to poll events from a remote windows host within a NAT network.
The following error codes can be seen in the WinCollect log:
Error code 0x0574: The target account name is incorrect.
Error code 0x0040: The specified network name is no longer available.
Error code 0x0040: The specified network name is no longer available.
Error code 0x0043: The network name cannot be found
In some cases, if a NAT network exists between the WinCollect agent and the QRadar event collector (EC) or console, the events don't reach QRadar.
Symptom
- The WinCollect agent does not get the required events from the remote devices
- QRadar cannot push a new configuration to the WinCollect agent.
- Remote polling issues (when the WinCollect host is in a NAT'ed network)
- There can be several RPC-related issues for example: error code 1722
- Polling across a domain and permissions
Cause
- There is generally a communication issue between the Console or Event Collector to the Windows host.
- Ports are not open
- The firewall is not configured to accept connections
- There is a proxy in between that is configured to stop all connections on 514 and 8413.
- The customer configured an internal IP address when they installed the WinCollect agent.
- The customer did not create a separate destination in the WinCollect tab.
To display this:- Click Admin tab.
- Scroll to Events.
- Click the WinCollect icon.
- Click Destinations.
- Check your Destinations.
Results
You validated that you have the created the correct destinations to the Event Collector or Console for your NAT environment.
Environment
The customer can have the following combination of environments:
The WinCollect agent is polling events from multiple windows hosts, which are all in the same NAT environment.
The WinCollect agent and event collector are in the same subnet or the event collector and console are in the same subnet:
Option 1:
- The WinCollect agent connects to the event collector
- The event collector connects to the event processor.
- The event processor connects to the Console.
Option 2:
- The WinCollect agent connects to the firewall.
- The firewall connects to the event collector.
- The event collector connects to the console.
Example architecture could be as follows:
Resolving The Problem
- Check your connectivity with your windows admin to verify whether your network can communicate with QRadar by using Test-Net, Telnet, Ncat or similar.
- Verify whether there are any network-related issues from Windows Firewall, Proxy, external Firewall, or any intermediate network devices.
- If a managed WinCollect is integrated, check whether a WinCollect destination is being used, and ensure that the destination has the correct public-facing IP address of the NAT Network.
- Verify whether the path for remote polling is formatted incorrectly. This path would need to be verified on the windows host where WinCollect is installed.
Results
The WinCollect Agent now receives the required logs from the end devices and QRadar and can push a new configuration to the WinCollect agent
For more information about this topic, see the following documents.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
21 February 2023
UID
ibm16954417