IBM Security QRadar

Hi 
i am receiving '' Error code 5: Access is denied.'' on my wincollect agents which are polling remote windows servers. When logged into a wincollect agent and connected to remote computer (having issue) with user account & it opens up logs of the remote device.
Additionally,  followed below IBM article but no luck. Wincollect agent throws error that access denied. 

i am not sure why it was happening since i was able to remotely connect & view logs from the wincollect agent. 

WinCollect error code: 0x0005 Access denied

Ibm		remove preview
WinCollect error code: 0x0005 Access denied My WinCollect agents are generating error codes for 0x0005 access denied. Why am I seeing error code 0x0005 from my WinCollect agents? View this on Ibm >

.

i see below error on my windows 2019 server 

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

However i use the same credentials for all working servers in my environment. There are few servers which throw this error & on QRADAR i see error 5 access denied. 

My windows servers have proper permissions for qradar account to login. i ran out of options with this issue 

Can anyone throw light on this type of issue ? 


------------------------------
Vijay Reddy
------------------------------

Hi Vijay,

did you check the user for your logsource is listed in the "windows eventlog reader group" in group or local policy?

Regards,
Ralph

------------------------------
Ralph Belfiore
IT Security Senior Consulting
pro4bizz GmbH
Karlsruhe
+49 721 90981720
------------------------------

Original Message:
Sent: Tue January 12, 2021 10:47 PM
From: Vijay Reddy
Subject: Wincollect | Error code 5: Access is denied.

Hi 
i am receiving '' Error code 5: Access is denied.'' on my wincollect agents which are polling remote windows servers. When logged into a wincollect agent and connected to remote computer (having issue) with user account & it opens up logs of the remote device.
Additionally,  followed below IBM article but no luck. Wincollect agent throws error that access denied. 

i am not sure why it was happening since i was able to remotely connect & view logs from the wincollect agent. 

WinCollect error code: 0x0005 Access denied

Ibm		remove preview
WinCollect error code: 0x0005 Access denied My WinCollect agents are generating error codes for 0x0005 access denied. Why am I seeing error code 0x0005 from my WinCollect agents? View this on Ibm >

.

i see below error on my windows 2019 server 

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

However i use the same credentials for all working servers in my environment. There are few servers which throw this error & on QRADAR i see error 5 access denied. 

My windows servers have proper permissions for qradar account to login. i ran out of options with this issue 

Can anyone throw light on this type of issue ? 


------------------------------
Vijay Reddy
------------------------------

Hi Ralph 

I figured out that issue to be with the configuration server. i have deleted and recreated the log sources which seems to be worked out. 


Thank you 



------------------------------
Vijay Reddy
------------------------------

Original Message:
Sent: Wed January 13, 2021 05:45 PM
From: Ralph Belfiore
Subject: Wincollect | Error code 5: Access is denied.

Hi Vijay,

did you check the user for your logsource is listed in the "windows eventlog reader group" in group or local policy?

Regards,
Ralph

------------------------------
Ralph Belfiore
IT Security Senior Consulting
pro4bizz GmbH
Karlsruhe
+49 721 90981720

Original Message:
Sent: Tue January 12, 2021 10:47 PM
From: Vijay Reddy
Subject: Wincollect | Error code 5: Access is denied.

Hi 
i am receiving '' Error code 5: Access is denied.'' on my wincollect agents which are polling remote windows servers. When logged into a wincollect agent and connected to remote computer (having issue) with user account & it opens up logs of the remote device.
Additionally,  followed below IBM article but no luck. Wincollect agent throws error that access denied. 

i am not sure why it was happening since i was able to remotely connect & view logs from the wincollect agent. 

WinCollect error code: 0x0005 Access denied

Ibm		remove preview
WinCollect error code: 0x0005 Access denied My WinCollect agents are generating error codes for 0x0005 access denied. Why am I seeing error code 0x0005 from my WinCollect agents? View this on Ibm >

.

i see below error on my windows 2019 server 

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064

However i use the same credentials for all working servers in my environment. There are few servers which throw this error & on QRADAR i see error 5 access denied. 

My windows servers have proper permissions for qradar account to login. i ran out of options with this issue 

Can anyone throw light on this type of issue ? 


------------------------------
Vijay Reddy
------------------------------