IBM Support

WinCollect unable to read remote registry syslog messages

Question & Answer


Question

Why does my WinCollect agent send syslog messages that it cannot read the environment or cannot read the remote registry to format Windows logs properly?

Cause

WinCollect agents that remotely poll other systems for events use the remote registry to determine the operating system the agent is communicating to and information on how to properly format the events for the operating system. If the agent cannot read the registry of the remote system, then the following syslog events are generated:


LEEF:1.0|IBM|WinCollect|7.1|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RegistryCacheInfo.\\IPaddress.InitializeEnvironmentInfo msg=Couldn't retrieve environment on machine \\IP address

or

LEEF:1.0|IBM|WinCollect|7.1|4|src=Hostname dst=IP address sev=4 log=Device.WindowsLog.RemoteMessageFormatter::GetMessageA.IPaddress msg=We can retrieve logs for this machine (\\IP address) but we can't seem to access the machine's registry. This means that the 'Message=' portion of the payload will contain only the insertion values (no formatting will be present). This could adversely affect the parsing of the log by the receiver.

Answer

Administrators who see these event messages in the Log Activity tab should review the permissions assigned to the user in their log source configuration. If the user does not have the correct permission level assigned, then the agent detects this condition to raise awareness to the administrator.

This issue can also be caused by the Remote Registry service not running on the Windows system that the agent attempts to poll.


If the Windows system is Microsoft 2003, then the administrator should verify that they have patched to resolve the issue defined in kb555335.




[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.2","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21666808