IBM Support

WinCollect: Non-English Windows operating systems might not assign virtual accounts correctly (IJ47330)

How To


Summary

Users reported an issue as described in APAR IJ47330 where WinCollect 10.1.4 might not assign Administrator or Event Log Readers permissions to WinCollect. This technical note provides information on how to identify and update the permissions when you have WinCollect 10.1.4 installed on a Windows host that does not use English as the default language.

Environment

Windows hosts where WinCollect 10.1.4 is installed, the operation system language is not English, and Yes, add the WinCollect virtual account to Administrators group option is selected:
image-20230705134118-1
Figure 1: Example of the virtual account option in WinCollect 10.1.4.

Steps

Administrators are required to confirm that the group names and update permissions in Computer Management based on your OS language. The PowerShell commands in this technical note are expected to differ based on your Windows OS language.

Procedure
  1. Log in to the Windows host where the WinCollect agent is installed.
  2. Press Windows key + R and type compmgmt.msc.
  3. Select Groups.
  4. Right-click on the Event Log Readers group and select Properties.
  5. Verify the NT Service\WinCollect is assigned to the group.
    For example, the following screen capture displays a German language Event Log Readers group where WinCollect is not added to the group properly.
    image-20230705142449-3
    Figure 2: Non-English Event Log Readers and Administrator groups are expected to display NT Service\Wincollect.
  6. Right-click on the Administrators group and select Properties.
  7. Verify the NT Service\WinCollect is assigned to the group.
  8. Right-click on the Windows button and select Windows PowerShell (Admin).
    image-20230705142747-4
  9. To add the NT Service\WinCollect to the local group, type the following commands:
    net localgroup "Event Log Readers" /add "NT SERVICE\WinCollect"
    net localgroup Administrators /add "NT SERVICE\WinCollect"
    For example, if your Windows OS language is German, type the following commands:
    net localgroup "Ereignisprotokollleser" /add "NT SERVICE\WinCollect"
    net localgroup Administratoren /add "NT SERVICE\WinCollect"

    Important: If your Windows operating system is configured to use a non-English language, you must use the translated group names in your PowerShell command. Event Log Readers is required to locally collect or remotely poll for events. If you do not have any file-based events that require admin permissions to read, you might not be required to add NT Service\WinCollect to the administrators group. WinCollect adds both groups by default during installation.
    Globalized Event Log Readers and Administrators names to update permissions for WinCollect 10.1.4
    Language Translation for Event Log Readers Translation for Administrators
    Chinese (Simplified) 事件日志读取器 管理员
    Chinese (Traditional) 事件日誌讀取器 管理員
    English Event Log Readers Administrators
    French Lecteurs de journaux d'événements administrateurs
    German Ereignisprotokollleser Administratoren
    Italian Lettori registro eventi amministratori
    Japanese イベントログリーダー 管理者
    Korean 이벤트 로그 판독기 관리자
    Portugese Leitores de log de eventos administradores
    Russian Читатели журнала событий администраторы
    Spanish Lectores de registro de eventos administradores
    Table 1: List of translated names for built-in Windows groups.
     
  10. Verify the Administrator and Event Log Readers group are updated with NT Service\WinCollect.

    Results
    Open the WinCollect 10 Configuration Console and verify whether any errors exist. If you receive error code 5: access is denied, confirm that the groups are updated, then restart the WinCollect agent. If you continue to experience this issue, contact QRadar Support for further assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
06 July 2023

UID

ibm17009769