5
responses

Hello Guys, Im currently trialing nxlog enterprise version and specifically interested in agentless version of it. While working on it i have come across a blockade which seems to not forward logs from windows server machine to linux windows event collector(nxlog enterprise version is running).

Im running nxlog version 5.1.6133 on ubuntu. Here are the details (SERVER details w.r.t im_wseventing module documentation)

NAME="Ubuntu"
 VERSION="18.04.5 LTS (Bionic Beaver)"
 ID=ubuntu
 ID_LIKE=debian
 PRETTY_NAME="Ubuntu 18.04.5 LTS"
 VERSION_ID="18.04"

Below are client details which forwards logs to server above using agentless method

OS Name:                   Microsoft Windows Server 2019 Datacenter
OS Version:                10.0.17763 N/A Build 17763
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server

Im getting following error message while trying to forward logs. Seeing this error in eventviewer under eventlog forwarding plugin. I have followed the documentation and generated certs and certs seems to be valid and working.

Log Name:      Microsoft-Windows-Forwarding/Operational
Source:        Microsoft-Windows-Forwarding
Date:          10/28/2020 2:37:05 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      
User:          NETWORK SERVICE
Computer:      computer_name
Description:
The forwarder is having a problem communicating with subscription manager at address HTTPS://private_ip_address:5986/wsman/.  Error code is 2150858819 and Error Message is 鿰柣ƴ.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Forwarding" Guid="{699e309c-e782-4400-98c8-e21d162d7b7b}" />
    <EventID>105</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2020-10-28T02:37:05.265085100Z" />
    <EventRecordID>438</EventRecordID>
    <Correlation ActivityID="{2977fa9f-ac7b-0000-d9fb-77297bacd601}" />
    <Execution ProcessID="2732" ThreadID="5668" />
    <Channel>Microsoft-Windows-Forwarding/Operational</Channel>
    <Computer>computer_name</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <EventData Name="SubscriptionManagerStatus">
    <Data Name="SubscriptionManagerAddress">HTTPS://private_ip_address:5986/wsman/</Data>
    <Data Name="ErrorCode">2150858819</Data>
    <Data Name="ErrorMessage">鿰柣ƴ</Data>
  </EventData>
</Event>

I have tried even port 5985 and it also faces similar error. I have checked whether the server which is the ubuntu is reachable or not, did GET request using postman api tool.POST request seems to not work which might be the cause which might be behind this problem.

Below is my nxlog config

<Input wseventing>
    Module          im_wseventing
    ListenAddr      0.0.0.0
    Port            5986
    Address         https://private_ip_address:5986/wsman
    HTTPSCertFile   %CERTDIR%/server-cert.pem
    HTTPSCertKeyFile %CERTDIR%/server-key.pem
    HTTPSCAFile     %CERTDIR%/ca-cert.pem
    <QueryXML>
      <QueryList>
        <Computer>*</Computer>
        <Query Id="0">
          <Select Path="Application">*</Select>
          <Select Path="Security">*</Select>
          <Select Path="Setup">*</Select>
          <Select Path="System">*</Select>
          <Select Path="ForwardedEvents">*</Select>
        </Query>
      </QueryList>
    </QueryXML>
</Input>
<Output file>
    Module  om_file
    File    "/opt/nxlog/var/log/nxlog/windows_events.log"
</Output>
<Route route_wsevents>
    Path wseventing => file
</Route>

Let me know how do i overcome this issue if possible.

Thanks.

AskedOctober 28, 2020 - 4:49am

Answer (1)

Hello,

First quick question - in the line ErrorMessage you have some chars that don't tell much - is it copypaste error or does it look this way by its root?

I'm asking about the line <Data Name="ErrorMessage">鿰柣ƴ</Data>.

I suppose it's for the purpose of this question, but just for clarity - the private_ip_address works correctly in your network, right?

Best regards,

Rafal

Comments (4)

  • AH_601191's picture

    Yes the error message looks somewhat like this Error code is 2150858819 and Error Message is ?柣ƴ. its really weird message, the above messgae in my post somewhat got not displayed properly but the characters in this comment are what it looks like. Yes private ip_address works correctly with the network, i tried same stuff with HTTP module and everything works with this module, this was done to check whether there is communication between client and server and not any issue in the network, heres the config for http communication.

    <Input http>
        Module              im_http
        ListenAddr          0.0.0.0:8888
        HTTPSCertFile       %CERTDIR%/server-cert.pem
        HTTPSCertKeyFile    %CERTDIR%/server-key.pem
        HTTPSCAFile         %CERTDIR%/ca-cert.pem
        HTTPSRequireCert    TRUE
        HTTPSAllowUntrusted FALSE
    </Input>
    <Output file>
        Module  om_file
        File    "/opt/nxlog/var/log/nxlog/windows_events.log"
    </Output>
    <Route route_wsevents>
        Path http => file
    </Route>
    

  • raf's picture
    (NXLog)

    Thank you for the additional info.

    The error code leads to ERROR_WSMAN_INVALID_XML, I'll continue searching.

    In the meantime - have you checked that your 5985 (or 5668) isn't blocked by the Win firewall? This might've led to this error.

    Best regards,

    Rafal

  • AH_601191's picture

    Hey Rafal
    Thanks for the help, i was able to resolve the issue, it was due to bad certificate probably.I was able to get windows logs to linux collector successful after regenerating certs.
    Thanks for the help. You guys are amazing,