Windows Vista collector errors and their known causes

book

Article ID: 177725

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

You must know what the messages mean that you see in the Windows Vista collector log.

Resolution

This article goes over error messages seen in the Windows Vista collector log and what is known to cause the error.

Connection Refused message

ERROR 2009-06-11 14:39:57,260 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-21 Subscription error. Details: java.net.ConnectException: Connection refused: connect
ERROR 2009-06-11 14:39:57,260 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-21 [Sensor: Sensor 0] Sensor thread failed to open device. Trying to reopen...

Known Causes

    • The Windows Remote Management (WS-Management) service is not running
    • No Listener is setup in WS-Management
    • The Listener is setup for the wrong Transport
    • Firewall is blocking traffic. - This could be a client firewall on the remote computer to be collected from, the off-box agent computer, or a network firewall between the two on the network.


Unauthorized Access. Status 401

ERROR 2009-06-11 14:39:57,260 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-21 Subscription error. Details: java.net.ConnectException: Connection refused: connect
ERROR 2009-06-11 14:39:57,260 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-21 [Sensor: Sensor 0] Sensor thread failed to open device. Trying to reopen...
ERROR 2009-06-11 14:42:53,857 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-21 Exception occurred while connecting to target log. Details: java.io.IOException: Unauthorized access. Status: 401. It is possible you provided incorrect Kerberos configuration.
java.io.IOException: Unauthorized access. Status: 401. It is possible you provided incorrect Kerberos configuration.
at com.symantec.cas.ucf.sensors.ws_management.RequestBroker.readResponse(RequestBroker.java:293)
at com.symantec.cas.ucf.sensors.ws_management.RequestBroker.sendRequest(RequestBroker.java:277)
at com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor.unsubscribe(WSManagementSensor.java:445)
at com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor.CloseDevice(WSManagementSensor.java:123)
at com.symantec.cas.ucf.collector.SensorJob.closeSensor(SensorJob.java:192)
at com.symantec.cas.ucf.collector.SensorJob.run(SensorJob.java:295)
at java.lang.Thread.run(Thread.java:619)

Known Causes
 

    • There is a time discrepancy of more than one minute between the Windows Servers and SSIM. A solution would be to use the same NTP server if possible.
    • The Security Descriptor (SDDL string) is not correct for the user that is specified in the Sensor Configuration.
    • The SDDL String format is invalid. - Make sure there are no spaces in the string, the correct number of semi-colons, and or the identifier entered is an existing one.
      An invalid formatted SDDL string forces the WinRM service to use its default ROOT SDDL which does not grant sufficient rights for the Vista/2008 collector to work.
    • The credentials entered in the sensor configuration are incorrect.
    • The user the Windows Vista collector sensor is setup with does not have sufficient access rights
    • If the collector is collecting from a computer in a different Domain Branch (Cross-Domain), you must use Basic authentication which uses a local account on the target machine. You do this by removing the Realm from the sensor configuration and using the account format of <Computer Name\User Name> to use basic authentication.
    • The winrm configuration has not updated correctly. Run the following command on the Windows machine

      winrm get winrm/config

      It should return these settings under the Services section.
      Auth
      Basic = true
      Kerberos = true
      Negotiate = true
      Certificate = false

      If it returns Basic = false you will need to run the commands from step 4 from page 17 of the Collector guide on the Windows machine.


Untrusted Server Certificate Chain, Connection Reset, Recv Failed

ERROR 2009-06-11 16:03:59,169 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-16 Subscription error. Details: java.net.SocketException: Connection reset
ERROR 2009-06-11 16:03:59,369 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-16 Subscription error. Details: java.net.SocketException: Software caused connection abort: recv failed
ERROR 2009-06-11 16:03:59,185 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-16 [Sensor: Sensor 0] Sensor thread failed to open device. Trying to reopen...
ERROR 2009-06-11 16:04:56,295 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-16 Subscription error. Details: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain

Known Causes

    • The Listener is setup with the Thumbprint of the wrong Certificate
       
    • The Symantec Agent does not have the Certificate imported into it, please import the certificate using keytool.exe


Note: In some cases you must specify they Thumbprint manually because the winrm quickconfig does not select the right certificate. For more information on specifying the Thumbprint manually, read the Knowledge Base article: How to manually specify what certificate the winrm listener uses

Subscribe fault... No active channel is found for the query

ERROR 2009-12-29 08:36:03,987 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-1642 Subscribe fault: Code: Receiver, SubCode: InternalError, Reason: No active channel is found for the query.
 

    • In the sensor configuration, a nonexistent Windows Event Log is set for the Event Logs to Audit setting.


Subscribe fault... An internal error occurred

ERROR 2009-12-23 09:02:10,065 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-999 Server response reports about error. Code: Receiver, SubCode: InternalError, Reason: An internal error occurred.
WARN 2009-12-23 09:02:10,065 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-999 [Sensor: Sensor_0] Exception in Sensor thread while reading device. Details:
java.lang.Exception: Server response reports about error. Code: Receiver, SubCode: InternalError, Reason: An internal error occurred.
at com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor.pullEvents(WSManagementSensor.java:417)
at com.symantec.cas.ucf.sensors.ws_management.WSManagementSensor.readDevice(WSManagementSensor.java:323)
at com.symantec.cas.ucf.collector.SensorJob.pollSensor(SensorJob.java:206)
at com.symantec.cas.ucf.collector.SensorJob.run(SensorJob.java:278)
at java.lang.Thread.run(Thread.java:619)
WARN 2009-12-23 09:02:10,065 Collectors.3301.wGroup.[workinggroup0].SensorThread Thread-999 [Sensor: Sensor_0] Restarting the sensor...
ERROR 2009-12-23 09:02:10,128 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-999 Unsubscribe fault: Code: Receiver, SubCode: InternalError, Reason: Element not found.
 

    • This message is returned from Winrm when it is unable to correctly read a Windows Event Log. To find out which Windows Event Log has the problem, collect from the Windows Event Log types one by one.

      The reason it cannot read from an Event log may be due to a corrupted event. To get around a corrupted event, you must start reading the log from the end.


Subscribe Fault... The interface is unknown

ERROR 2010-02-18 14:06:06,624 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-18 Subscribe fault: Code: Receiver, SubCode: InternalError, Reason: The interface is unknown.
 

    • This is caused by the Windows Event Collector service not running.


Subscribe Fault... The cluster resource is not online.

ERROR 2010-04-16 13:58:59,043 Collectors.3301.wGroup.[workinggroup0].Sensor.[Sensor_0] Thread-22 Subscribe fault: Code: Receiver, SubCode: InternalError, Reason: The cluster resource is not online.
 

    • To see what is actually causing this, set the collector to log in debug mode.
    • There has been an instance where this was caused by the query returning a No Active Channel message. Further investigation showed the Network Service only had Write permission to the logs.
    • Reason could be that the network service doesn't have access to the security event logs; Add this string to the CustomSD for each log to grant Network Service read access (A;;0x1;;;NS)


How to determine the details when only an error code is returned

winrm helpmsg ERROR_CODE_HERE

For example: winrm helpmsg 0x80338126

C:\Users\ssim_support>winrm helpmsg 0x80338126

The WinRM client cannot complete the operation within the time specified. Check if the machine name is valid and is reachable over the network and firewall exception for Windows Remote Management service is enabled.