IBM Support

WinCollect: 10.1.4 can experience an issue where security events do not forward to Domain Controllers (IJ47086)

Troubleshooting


Problem

When Windows servers are promoted to Domain Controllers, the local group policies are disabled and Active Directory security policies are applied. Users who updated to WinCollect 10.1.4 and used the virtual account (NT Service\WinCollect) account can experience an issue where Security events cannot be forwarded to QRadar as described in APAR IJ47086. Users who experience this issue can modify the WinCollect service to use the LocalSystem account to resolve this issue. This technical note is intended to more clearly describe the workaround for users.

Symptom

Administrators who updated to WinCollect 10.1.4 and installed with the virtual account option to use NT SERVICE\WinCollect cannot collect and forward Security events to QRadar. This issue can occur when a Windows administrator promotes a Windows server to a Domain Controllers as the local account polices change.
As Application and System channel events do not require special permissions, these events are read and forwarded to QRadar.

When this issue occurs, the following error message can be displayed in the WinCollect logs. 
Unable to subscribe to channel Security - error:5:Access is denied.

Environment

WinCollect 10.1.4 where a Windows Server installation is promoted to a Domain Controller.

Resolving The Problem

Windows administrators can update the WinCollect service properties on the Domain Controller to resolve this issue.

Procedure
  1. Log in to the Windows host with the WinCollect agent.
  2. Press Windows key + R.
  3. Type services.msc and press Enter.
    image-20230615091358-1
  4. Right-click on the IBM WinCollect service, select Properties.
    Note: Administrators who installed WinCollect 10.1.4 with a virtual account see the Log On As column display NT SERVICE.
    image-20230615091907-4
  5. Click the Log On tab and select Local System account.
    image-20230615092217-5
  6. Click OK.
  7. Right-click on the WinCollect service and select Restart.
    Note: The Log On As column is expected to display Local System.image-20230615092458-8

    Results
    After the WinCollect agent service restarts, Security events are successfully forwarded. Administrators can use the WinCollect agent Top Sources graph or the QRadar user interface to confirm Security channel events are received from the Domain Controller.
  • Option 1: Log in to the WinCollect 10 user interface and confirm the Top Sources graph shows EPS for Security events.
    image-20230615101652-1
  • Option 2: Log in to the QRadar user interface filter the Log Activity tab to confirm events are received.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Product Synonym

QRadar WinCollect

Document Information

Modified date:
15 June 2023

UID

ibm17004229

Page Feedback