IBM QRadar

i am trying to integrate a server using MSRPC but am having issue with it, In the console it is not showing any status. i used the test tool to try and debug it and it gives me

Remote registry connection failed with STATUS_PIPE_NOT_AVAILABLE

which i am not able to figure out what it is related to.

The user is in the Event Log Readers group, used the same on other server and it works fine

both services are enabled

• Remote Procedure Call (RPC)
• RPC Endpoint Mapper

Firewall is not blocking anything

tried restarting the services and turning off the firewall but its still showing the same issue and i am stumped, below entire log

[rootSupport Member]# java -jar Q1MSRPCTest.jar -h y.y.y.y -u user -p password -b

Active Directoy Domain, or Hostname if in a Workgroup: directory

2021-06-24 10:15:47 RPCSession INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Gathering Host Information...

2021-06-24 10:15:47 RPCSession INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Querying Windows Version and Locale...

2021-06-24 10:15:47 EventLogWinRegistry DEBUG: Remote registry connection failed with STATUS_PIPE_NOT_AVAILABLE [0xC00000AC]. Retry 1 of 5.

2021-06-24 10:15:48 RPCSession INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] OS: Windows Server 2016 Standard

2021-06-24 10:15:48 ExceptionReformatter DEBUG: WindowsError: Access is denied, please check whether the [domain-username-password] are correct. Also, if not already done please check the GETTING STARTED and FAQ sections in readme.htm. They provide information on how to correctly configure the Windows machine for DCOM access, so as to avoid such exceptions. [0x00000005] - Caused by: Access is denied, please check whether the [domain-username-password] are correct. Also, if not already done please check the GETTING STARTED and FAQ sections in readme.htm. They provide information on how to correctly configure the Windows machine for DCOM access, so as to avoid such exceptions. [0x00000005]

2021-06-24 10:15:48 RPCSession ERROR: [NOT:0000003000][x.x.x.x/- -] [-/- -][y.y.y.y] Unable to get Locale: Could not read registry value 'HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language\InstallLanguage': Access is denied.

2021-06-24 10:15:48 RPCSession INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Auto-detecting protocol...

2021-06-24 10:15:48 RPCSession INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Found MS-EVEN6 (by OS version)

2021-06-24 10:15:48 RPCSession INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Host Information [OS: Windows Server 2016 Standard, Locale: United States (0409), Protocol: MSEVEN6]

2021-06-24 10:15:48 RPCEventLogHandler INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Establishing Connection...

2021-06-24 10:15:48 RPCEventLogHandler INFO : [NOT:0000006000][x.x.x.x/- -] [-/- -][y.y.y.y] Connected

====================================================================

Connection to y.y.y.y succeeded!

It looks to be access/permission issue.

Make sure that the user "qradar" is part of "Even Log Readers" and "Backup Operators" groups on the Windows server...

After this is done, restart ecs-ec-ingress service