IBM Support

WinCollect: 10.1.4 can experience an issue where security events do not forward to Domain Controllers (IJ47086)

Troubleshooting


Problem

When Windows servers are promoted to Domain Controllers, the local group policies are disabled and Active Directory security policies are applied. Users who updated to WinCollect 10.1.4 and used the virtual account (NT Service\WinCollect) account can experience an issue where Security events cannot be forwarded to QRadar as described in APAR IJ47086. Users who experience this issue can modify the WinCollect service to use the LocalSystem account to resolve this issue. This technical note is intended to more clearly describe the workaround for users.

Symptom

Administrators who updated to WinCollect 10.1.4 and installed with the virtual account option to use NT SERVICE\WinCollect cannot collect and forward Security events to QRadar. This issue can occur when a Windows administrator promotes a Windows server to a Domain Controllers as the local account polices change.
As Application and System channel events do not require special permissions, these events are read and forwarded to QRadar.

When this issue occurs, the following error message can be displayed in the WinCollect logs. 
Unable to subscribe to channel Security - error:5:Access is denied.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
15 June 2023

UID

ibm17004229

Page Feedback