IBM QRadar

Hello my friends,

Im getting this error messages on my Windows 10 or Windows server 2012 instances:

------------------------------
Henry Alonso Valdivia Barba
------------------------------

Hello! Yes. I have the same problem and think I will open a support case for this. 

This is the link to the Wincollect( WinCollect 10.1.4) documentation:

https://www.ibm.com/docs/en/qradar-common?topic=10-wincollect-virtual-accounts

It says:

During the installation I chose the first option:

Error:

Using the command line install also didn't work:

msiexec.exe /qn /i WinCollect-10.X.X-X.x64.msi QUICK_INSTALL="yes" WC_DEST="<qrhostname.domain.lab>" ADMIN_GROUP="true"

Anyone able to solve this problem?

Thanks 

------------------------------
BrunoMarX

Original Message:
Sent: Mon July 03, 2023 12:02 AM
From: Henry Alonso Valdivia Barba
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello my friends,

Im getting this error messages on my Windows 10 or Windows server 2012 instances:

------------------------------
Henry Alonso Valdivia Barba
------------------------------

I just checked that this problem only happens on domain controllers. The workaround is to fall back to running Wincollect as LocalSystem, which was the reason why IBM introduced virtual accounts in Wincollect in the first place

https://www.ibm.com/support/pages/node/7004229

------------------------------
BrunoMarX

Original Message:
Sent: Wed July 05, 2023 07:33 AM
From: BrunoMarX
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello! Yes. I have the same problem and think I will open a support case for this. 

This is the link to the Wincollect( WinCollect 10.1.4) documentation:

https://www.ibm.com/docs/en/qradar-common?topic=10-wincollect-virtual-accounts

It says:

During the installation I chose the first option:

Error:

Using the command line install also didn't work:

msiexec.exe /qn /i WinCollect-10.X.X-X.x64.msi QUICK_INSTALL="yes" WC_DEST="<qrhostname.domain.lab>" ADMIN_GROUP="true"

Anyone able to solve this problem?

Thanks 

------------------------------
BrunoMarX

Original Message:
Sent: Mon July 03, 2023 12:02 AM
From: Henry Alonso Valdivia Barba
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello my friends,

Im getting this error messages on my Windows 10 or Windows server 2012 instances:

------------------------------
Henry Alonso Valdivia Barba
------------------------------

@Henry Alonso Valdivia Barba

I think this is related to an issue where non-English languages do not get their virtual accounts set correctly. The root cause here is that Groups do not get the Administrator or Event Log Reader set to allow NT Service\WinCollect as the group names are different, so they fail. This leads to Access Denied (Error Code 5) issues. 

I just wrote a technical note on this issue today and there is an APAR pending that should be visible tomorrow as well: 

• WinCollect: Non-English Windows operating systems might not assign virtual accounts correctly (IJ47330)
• APAR IJ47330
  Note: This APAR is not visible online for me yet, as it was just opened. The tech note I linked includes all of the relevant info though. 

@Bruno Marx As it appears that your agent is installed on a Windows host and is a DC, you need to set agent to use the Local System. You already found the correct link, but adding a clickable version in case anyone else comes across this discussion. For more info, see 
WinCollect: 10.1.4 can experience an issue where security events do not forward to Domain Controllers (IJ47086)

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Wed July 05, 2023 11:11 AM
From: BrunoMarX
Subject: Local Wincollect 10 - Access denied IIS and Security logs

I just checked that this problem only happens on domain controllers. The workaround is to fall back to running Wincollect as LocalSystem, which was the reason why IBM introduced virtual accounts in Wincollect in the first place

https://www.ibm.com/support/pages/node/7004229

------------------------------
BrunoMarX

Original Message:
Sent: Wed July 05, 2023 07:33 AM
From: BrunoMarX
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello! Yes. I have the same problem and think I will open a support case for this. 

This is the link to the Wincollect( WinCollect 10.1.4) documentation:

https://www.ibm.com/docs/en/qradar-common?topic=10-wincollect-virtual-accounts

It says:

During the installation I chose the first option:

Error:

Using the command line install also didn't work:

msiexec.exe /qn /i WinCollect-10.X.X-X.x64.msi QUICK_INSTALL="yes" WC_DEST="<qrhostname.domain.lab>" ADMIN_GROUP="true"

Anyone able to solve this problem?

Thanks 

------------------------------
BrunoMarX

Original Message:
Sent: Mon July 03, 2023 12:02 AM
From: Henry Alonso Valdivia Barba
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello my friends,

Im getting this error messages on my Windows 10 or Windows server 2012 instances:

------------------------------
Henry Alonso Valdivia Barba
------------------------------

Hi @Jonathan Pechta !

Thank you!

Thank you for your Technote: https://www.ibm.com/support/pages/node/7009769

is it really necessary to add "NT Service\Wincollect" To the ADministrators group?

Here in German:

NT Service is part only of Event Log Readers (Ereignisprotokollleser). WinCollect can now process security events.

In Addition to that, I think it is enough if we only add NT Service to Event Log Readers using cmd. It is not necessary to use compmgmt.msc.to add the account to the group. in other words. you either do one(compmgmt.msc.) or the other (CMD) to include the account. 

Besides: 

net localgroup "Event Log Readers" /add NT SERVICE\WinCollect

does not work since you need to add " " to the account

net localgroup "Event Log Readers" /add NT "SERVICE\WinCollect"

should work.

to sum up, on a non-domain controller I need to add the account to the Event Log Readers group manually. it does not need to be part of Administrators for me to process Security Events. So Why should NT Service\Wincollect a local administrator?

Regards,

Bruno

------------------------------
BrunoMarX

Original Message:
Sent: Wed July 05, 2023 05:43 PM
From: Jonathan Pechta
Subject: Local Wincollect 10 - Access denied IIS and Security logs

@Henry Alonso Valdivia Barba

I think this is related to an issue where non-English languages do not get their virtual accounts set correctly. The root cause here is that Groups do not get the Administrator or Event Log Reader set to allow NT Service\WinCollect as the group names are different, so they fail. This leads to Access Denied (Error Code 5) issues. 

I just wrote a technical note on this issue today and there is an APAR pending that should be visible tomorrow as well: 

• WinCollect: Non-English Windows operating systems might not assign virtual accounts correctly (IJ47330)
• APAR IJ47330
  Note: This APAR is not visible online for me yet, as it was just opened. The tech note I linked includes all of the relevant info though. 

@Bruno Marx As it appears that your agent is installed on a Windows host and is a DC, you need to set agent to use the Local System. You already found the correct link, but adding a clickable version in case anyone else comes across this discussion. For more info, see 
WinCollect: 10.1.4 can experience an issue where security events do not forward to Domain Controllers (IJ47086)

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Wed July 05, 2023 11:11 AM
From: BrunoMarX
Subject: Local Wincollect 10 - Access denied IIS and Security logs

I just checked that this problem only happens on domain controllers. The workaround is to fall back to running Wincollect as LocalSystem, which was the reason why IBM introduced virtual accounts in Wincollect in the first place

https://www.ibm.com/support/pages/node/7004229

------------------------------
BrunoMarX

Original Message:
Sent: Wed July 05, 2023 07:33 AM
From: BrunoMarX
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello! Yes. I have the same problem and think I will open a support case for this. 

This is the link to the Wincollect( WinCollect 10.1.4) documentation:

https://www.ibm.com/docs/en/qradar-common?topic=10-wincollect-virtual-accounts

It says:

During the installation I chose the first option:

Error:

Using the command line install also didn't work:

msiexec.exe /qn /i WinCollect-10.X.X-X.x64.msi QUICK_INSTALL="yes" WC_DEST="<qrhostname.domain.lab>" ADMIN_GROUP="true"

Anyone able to solve this problem?

Thanks 

------------------------------
BrunoMarX

Original Message:
Sent: Mon July 03, 2023 12:02 AM
From: Henry Alonso Valdivia Barba
Subject: Local Wincollect 10 - Access denied IIS and Security logs

Hello my friends,

Im getting this error messages on my Windows 10 or Windows server 2012 instances:

------------------------------
Henry Alonso Valdivia Barba
------------------------------