Windows Group Policy

[[email protected]]

Are the any group policies in Windows that need to be set to allow the Nagios cluster to receive logs? We just enabled GPOs in Active Directory and the count of host sending logs went from 42 down to 7

[jdalrymple]

It's very likely that your new policies are causing the issue.

Maybe something in the policies is preventing network transmission from the nxlog service to the NLS?
Maybe something in the policies is preventing the nxlog service from running at all?

I would engage the help of your AD/GPO experts to identify what is causing the stoppage of log data, but those 2 things are the first 2 low-hanging fruit to double-check.

[[email protected]]

It's very likely that your new policies are causing the issue.

Maybe something in the policies is preventing network transmission from the nxlog service to the NLS?
Maybe something in the policies is preventing the nxlog service from running at all?

I would engage the help of your AD/GPO experts to identify what is causing the stoppage of log data, but those 2 things are the first 2 low-hanging fruit to double-check.

We checked the GPO, and cant find anything that changed with the permissions. The nxlog services is running and has established communication with Nagios server over port 3515.

2015-03-05 23:52:18 INFO connecting to 10.27.10.90:3515
2015-03-05 23:52:18 INFO nxlog-ce-2.8.1248 started

I enabled debugging for awhile and it gave me a bunch of lines but I cant ping point the issue.

Code: Select all

-4576-9e61-2fd025fe16cc, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n10: c60b048b-8071-4532-8398-f15f4c981861, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n11: c837408d-3762-4dea-a4d7-6dba48f6c305, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n12: c99b641f-c4ea-4e63-bec3-5ed2ccd0f357, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n13: da71774d-b2c9-4c42-bb7b-a66365d5abb2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n14: f14c8ee3-560d-441e-aee1-325c2e9ae74a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]\n\n"}
{"EventTime":"2015-03-05 22:30:56","Hostname":"I119065emci9030.emcdsm.com","Keywords":36028797018963968,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":902,"SourceName":"Microsoft-Windows-Security-SPP","ProviderGuid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":42580,"ProcessID":0,"ThreadID":0,"Channel":"Application","EventReceivedTime":"2015-03-05 22:30:56","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Software Protection service has started.\r\n6.1.7601.17514"}
{"EventTime":"2015-03-05 22:30:55","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4624,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12544,"OpcodeValue":0,"RecordNumber":13396,"ProcessID":508,"ThreadID":560,"Channel":"Security","Category":"Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"I119065EMCI9030$","SubjectDomainName":"EMCDSM","SubjectLogonId":"0x3e7","TargetUserSid":"S-1-5-18","TargetUserName":"SYSTEM","TargetDomainName":"NT AUTHORITY","TargetLogonId":"0x3e7","LogonType":"5","LogonProcessName":"Advapi  ","AuthenticationPackageName":"Negotiate","LogonGuid":"{00000000-0000-0000-0000-000000000000}","TransmittedServices":"-","LmPackageName":"-","KeyLength":"0","ProcessName":"C:\\Windows\\System32\\services.exe","IpAddress":"-","IpPort":"-","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"An account was successfully logged on.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tI119065EMCI9030$\r\n\tAccount Domain:\t\tEMCDSM\r\n\tLogon ID:\t\t0x3e7\r\n\r\nLogon Type:\t\t\t5\r\n\r\nNew Logon:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3e7\r\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1ec\r\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\r\n\r\nNetwork Information:\r\n\tWorkstation Name:\t\r\n\tSource Network Address:\t-\r\n\tSource Port:\t\t-\r\n\r\nDetailed Authentication Information:\r\n\tLogon Process:\t\tAdvapi  \r\n\tAuthentication Package:\tNegotiate\r\n\tTransited Services:\t-\r\n\tPackage Name (NTLM only):\t-\r\n\tKey Length:\t\t0\r\n\r\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\r\n\r\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\r\n\r\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\r\n\r\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\r\n\r\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\r\n\r\nThe authentication information fields provide detailed information about this specific logon request.\r\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\r\n\t- Transited services indicate which intermediate services have participated in this logon request.\r\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\r\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."}
{"EventTime":"2015-03-05 22:30:55","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12548,"OpcodeValue":0,"RecordNumber":13397,"ProcessID":508,"ThreadID":560,"Channel":"Security","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","PrivilegeList":"SeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Special privileges assigned to new logon.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tSYSTEM\r\n\tAccount Domain:\t\tNT AUTHORITY\r\n\tLogon ID:\t\t0x3e7\r\n\r\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\r\n\t\t\tSeTcbPrivilege\r\n\t\t\tSeSecurityPrivilege\r\n\t\t\tSeTakeOwnershipPrivilege\r\n\t\t\tSeLoadDriverPrivilege\r\n\t\t\tSeBackupPrivilege\r\n\t\t\tSeRestorePrivilege\r\n\t\t\tSeDebugPrivilege\r\n\t\t\tSeAuditPrivilege\r\n\t\t\tSeSystemEnvironmentPrivilege\r\n\t\t\tSeImpersonatePrivilege"}
{"EventTime":"2015-03-05 22:30:55","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64340,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Software Protection","param2":"running","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Software Protection service entered the running state."}
{"EventTime":"2015-03-05 22:30:56","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64341,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Windows Modules Installer","param2":"running","EventReceivedTime":"2015-03-05 22:30:58","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Windows Modules Installer service entered the running state."}
{"EventTime":"2015-03-05 22:30:58","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9223372036854775808,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1015,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":6677,"ProcessID":976,"ThreadID":988,"Channel":"Microsoft-Windows-DNS-Client/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after the DNS server 10.27.10.95:53 did not respond."}
{"EventTime":"2015-03-05 22:30:58","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9223372036854775808,"EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1013,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":6678,"ProcessID":976,"ThreadID":988,"Channel":"Microsoft-Windows-DNS-Client/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after none of the configured DNS servers responded."}
{"EventTime":"2015-03-05 22:31:10","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64342,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Management","param2":"running","EventReceivedTime":"2015-03-05 22:31:11","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Management service entered the running state."}
{"EventTime":"2015-03-05 22:31:40","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64343,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Information","param2":"running","EventReceivedTime":"2015-03-05 22:31:41","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Information service entered the running state."}

Code: Select all

SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after the DNS server 10.27.10.95:53 did not respond."}
{"EventTime":"2015-03-05 22:30:58","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9223372036854775808,"EventType":"ERROR","SeverityValue":4,"Severity":"ERROR","EventID":1013,"SourceName":"Microsoft-Windows-DNS-Client","ProviderGuid":"{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":6678,"ProcessID":976,"ThreadID":988,"Channel":"Microsoft-Windows-DNS-Client/Operational","Domain":"NT AUTHORITY","AccountName":"NETWORK SERVICE","UserID":"NETWORK SERVICE","AccountType":"Well Known Group","Opcode":"Info","QueryName":"www.msftncsi.com","AddressLength":"16","Address":"020000350A1B0A5F0000000000000000","EventReceivedTime":"2015-03-05 22:31:00","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"Name resolution for the name http://www.msftncsi.com timed out after none of the configured DNS servers responded."}
{"EventTime":"2015-03-05 22:31:10","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64342,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Management","param2":"running","EventReceivedTime":"2015-03-05 22:31:11","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Management service entered the running state."}
{"EventTime":"2015-03-05 22:31:40","Hostname":"I119065emci9030.emcdsm.com","Keywords":-9187343239835811840,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":7036,"SourceName":"Service Control Manager","ProviderGuid":"{555908D1-A6D7-4695-8E1E-26931D2012F4}","Version":0,"Task":0,"OpcodeValue":0,"RecordNumber":64343,"ProcessID":492,"ThreadID":1472,"Channel":"System","param1":"Application Information","param2":"running","EventReceivedTime":"2015-03-05 22:31:41","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog","message":"The Application Information service entered the running state."}

Any thoughts

[[email protected]]

I think we were able to fix the issue by adding the Administrator to the nxlog file, and restarting the service, however, I can see the count of logs being received going up, but I haven seen the logs from the hosts yet. Is there a way to list all the hosts sending logs from the CLI... I assume that the database may take a awhile to update the console, correct?

[jolson]

The console update period should be very quick - within one second in most cases. This is one way you might approach seeing a list of hosts:
-In the NLC WebGUI, navigate to 'Dashboard' and perform a blank search. After doing so, find a filter that might uniquely identify you Windows computers - for you, this may be something like the Domain. Click 'Domain' on the 'All Events > Fields' panel, and filter by your Windows Domain. After this has been done, you can select "Host > Terms > Pie" to make a pie-chart of your Windows machines that have sent in logs. Feel free to adjust the time period at this point.

Let us know if that helps!