IBM Support

WinCollect troubleshooting: The RPC server is unavailable. Error code 0x06BA

Question & Answer


Question

How to troubleshoot RPC issues with my WinCollect agent?

Cause

About this issue
This error message is typically displayed when a remote machine being monitored is being rebooted or is simply not on the network anymore. If the WinCollect machine itself loses its network connection or cannot be discovered via DNS, then a large number of RPC server unavailable messages can be displayed in the error log. This error message might also be seen when the host being polled is installed in a virtual environment. This is due to virtual machines hibernating because they were set up with the default power management profile and the WinCollect agent cannot connect.

The error message
<13>Apr 17 10:54:41 myhostname.com LEEF:1.0|IBM|WinCollect|7.2|4|src=myhostname.com dst=10.10.10.10 sev=5 log=Device.WindowsLog.EventLogMonitor msg=Failed to open event log myhostname.com [myhostname.com:Security]; will try again in approx 60 seconds. Reason: Error code 0x06BA: The RPC server is unavailable.

If this error is accompanied by another error mentioning “Interface not found” it is very likely that either the remote machine or the WinCollect machine is being rebooted or hibernating in a VM environment.

The most common causes of the RPC server is unavailable message
This article will apply to you if:

  1. You have WinCollect log sources that remotely poll for events from other Windows systems, but the remote host is unreachable.
  2. You have WinCollect log sources where the Local System check box selected and the log source has a non-resolvable hostname or is using the FQDN instead of the short form hostname in the Log Source Identifier field (See Solution 1 below).
  3. If you have a cloud environment or network environment where the WinCollect log source cannot resolve the IP address, hostname, or a network device is blocking ports/traffic.
  4. Services are not started on the Windows host to collect events.

Answer

Solution 1. Is the log source configured with the correct IP address or host name in the Log Source Identifier

The Log Source Identifier field should be populated with either an IP address or hostmane. You should not use a FQDN myhostname.domain.com in the Log Source Identifier field with remote polled events because there is a separate Domain field in the log source configuration when remotely polling Windows systems. For example, \\myhostname.domain.com will generate RPC error messages because the field expects the short form of the hostname or an IP address.

Correct Log Source Identifier values Incorrect Log Source Identifier values

  • Hostname
  • IP address
  • \\myhostname
  • myhostname.domain.com (This is OK only in the case where the Local System check box is selected.)


Note: The agent must be configured to allow automatic updates to update the log source on the remote agent. The Configuration Polling Interval for the agent determines the frequency with which the agent requests log source and software updates from the Console. After you save your log source update to correct the Log Source Identifier field, you can click save, then wait for the configuration interval to expire, which will update the remote WinCollect agent.
Automatic updates must be true to receive log source configuration updates from the console.

Solution 2. Verify the status of the remote system

Is the remote system powered on, available on the network, or is the remote system hibernating?

Solution 3. Verify the correct service are enabled on the remote system

If the WinCollect agent is logging errors, the administrator can verify that the services requires by RPC are enabled on the remote system.

Procedure

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Services.
  3. In the Status column, the Remote Procedure Call (RPC) service must display Started.
  4. In the Status column, the Remote Registry service must display Started.

Solution 4. Verify the user in your log source includes the correct user right assignment

The user defined in your log source must include the ability to manage auditing and security log.

Procedure

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Local Security Policy.
  3. From the navigation menu, select Local Policies > User Rights Assignment.
  4. Right-click on Manage auditing and security log and select Properties.
  5. From the Local Security Setting tab, click Add User or Group to add your WinCollect user to the local security policy.

Log off of the Windows host and attempt to remotely poll the host for Windows events with your WinCollect log source.

If you cannot collect events for the WinCollect log source, you can verify your group policy does not override your local policy. You can also verify that the local firewall settings on the Windows host allows Remote Event Log Management.

Alternately, you can update your log source configuration with the Domain administrator credentials to determine if your issue is permissions related. If Domain administrator credentials are also denied, then the the issue might be network related.

Solution 5. Verify you can open the event viewer on the remote system

If you are remotely polling another Windows host for events, you can try to remotely open the event viewer from the system running the WinCollect agent.

Procedure

  1. Log on to the Windows host that has the WinCollect agent locally installed.
  2. Select Start > Programs > Administrative Tools, and then click Event Viewer.
  3. Click Action > Connect to another computer.
  4. Select the Another computer option and type the IP address or host name of the server you want to remotely poll for events.
  5. Click the Connect as another user check box.
  6. Click Set User.
  7. In the User name field, type the domain\username for the user you specified in your log source configuration. For example, test.qradar.com\JohnDoe
  8. Type the password for the user and click OK.
     

What to do next

If you cannot remotely view the event viewer on the remote host, then an RPC Server is unavailable message is displayed.

Administrators can complete an nslookup from the command-line on the host name or IP address you specified. The nslookup should provide you with the host name or FQDN (fully qualified domain name) that you can use to try and remotely connect to the event viewer.

Procedure
1. Click Start > Run, type cmd and press Enter.
2. To verify the DNS entry for your computer, type the following command: nslookup %computername%
3. If the results return an unexpected IP address or name, then you might have to correct conflicting IP information your DNS server.

Note: If you think this issue might be related to the DNS server and the location of the system, you can do an nslookup for the Active Directory server. To see the Active Directory server in an type nslookup ad or nslookup ad.domain.name and compare the results.

4. If the DNS server is not in your zone or if the lookup does not resolve correctly, use the Enable Active Directory Lookups check box.
5. To specify a server to complete an Active Directory Lookup, type an IP address or FQDN of a domain controller in the Override Domain Name Controller field.
6. To specify a server to complete the DNS Lookup for a host, type an IP address or FQDN of a domain controller in the Override DNS Domain Name field.

If you successfully connected to the event viewer of the remote system, then you should verify that the log source configuration is correct and that the Log Source Identifier field contains the host name or FQDN used to connect to the event viewer of the remote system.

Solution 6. Verify required ports are open on the Windows host and that Remote Event Log Management is allowed

All firewalls located between the agent and the system that is being polled for events must allow communication on the following ports:

To verify the Windows Firewall allows Remote Event Log Management:

Procedure

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Windows Firewall with Advanced Security.
  3. Click Inbound Rules.
  4. Verify that the Enabled column lists Yes for all of the Remote Event Log Management firewall rules.
  • TCP port 135 Microsoft Endpoint Mapper
  • UDP port 137 NetBIOS name service
  • UDP port 138 NetBIOS datagram service
  • TCP port 139 NetBIOS session service
  • TCP port 445 Microsoft Directory Services for file transfers that use a Windows share

Note: To verify if a port is listening, administrators can type the following command: netstat -an | find "port#"

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.3.1;7.3;7.2.8;7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
02 December 2020

UID

swg21666403