Troubleshooting
Problem
When Windows servers are promoted to Domain Controllers, the local group policies are disabled and Active Directory security policies are applied. Users who updated to WinCollect 10.1.4 and used the virtual account (NT Service\WinCollect) account can experience an issue where Security events cannot be forwarded to QRadar as described in APAR IJ47086. Users who experience this issue can modify the WinCollect service to use the LocalSystem account to resolve this issue. This technical note is intended to more clearly describe the workaround for users.
Symptom
Administrators who updated to WinCollect 10.1.4 and installed with the virtual account option to use NT SERVICE\WinCollect cannot collect and forward Security events to QRadar. This issue can occur when a Windows administrator promotes a Windows server to a Domain Controllers as the local account polices change.
As Application and System channel events do not require special permissions, these events are read and forwarded to QRadar.
When this issue occurs, the following error message can be displayed in the WinCollect logs.
When this issue occurs, the following error message can be displayed in the WinCollect logs.
Unable to subscribe to channel Security - error:5:Access is denied.
Environment
WinCollect 10.1.4 where a Windows Server installation is promoted to a Domain Controller.
Resolving The Problem
Windows administrators can update the WinCollect service properties on the Domain Controller to resolve this issue.
Procedure
Procedure
- Log in to the Windows host with the WinCollect agent.
- Press Windows key + R.
- Type services.msc and press Enter.
- Right-click on the IBM WinCollect service, select Properties.
Note: Administrators who installed WinCollect 10.1.4 with a virtual account see the Log On As column display NT SERVICE. - Click the Log On tab and select Local System account.
- Click OK.
- Right-click on the WinCollect service and select Restart.
Note: The Log On As column is expected to display Local System.
Results
After the WinCollect agent service restarts, Security events are successfully forwarded. Administrators can use the WinCollect agent Top Sources graph or the QRadar user interface to confirm Security channel events are received from the Domain Controller.
- Option 1: Log in to the WinCollect 10 user interface and confirm the Top Sources graph shows EPS for Security events.
- Option 2: Log in to the QRadar user interface filter the Log Activity tab to confirm events are received.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
QRadar WinCollect
Was this topic helpful?
Document Information
Modified date:
15 June 2023
UID
ibm17004229