Currently I am working on using nxlog to collect windows event logs to my Ubuntu 22 desktop using Kerberos Authentication approach.
I have prepared three virtual machines to achieve the event collecting. A Windows 10 acts as the WEC Client, a Ubuntu desktop acts as the WEC Server with hostname linux-wec, and an Active Directory (Windows Server 2019) with hostname ADSERVER to handle the Domain and DNS Server related tasks. These devices are able to ping each and other.
I have followed all the steps (including the configuration for WEC Client to send events to NXlog), but encountering a problem at "Configure Kerberos on the WEC server" Step 7, I run the command and restart the nxlog service. In the nxlog.log, after the connection is established between WEC Server and WEC Client, it included this error:
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: major code: 851968, msg: Unspecified GSS failure. Minor code may provide more information
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: minor code: -1765328349, msg: Request ticket server HTTP/linux-wec.abc.local@ABC.LOCAL not found in keytab (ticket kvno 7)
Any idea or suggestion on this? I have spent few days still cannot find a solution. I tried to change the encryption method, reinvoke the ticket, redo everything still getting this error.
krb5.conf
[libdefaults]
default_realm = ABC.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ABC.LOCAL = {
kdc = ADSERVER.abc.local
admin_server = ADSERVER.abc.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.abc.local = ABC.LOCAL
abc.local = ABC.LOCAL
nxlog.conf
User nxlog
Group nxlog
Panic Soft
# default values:
define INSTALLDIR /opt/nxlog
# PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid
# CacheDir %INSTALLDIR%/var/spool/nxlog
# ModuleDir %INSTALLDIR%/lib/nxlog/modules
# SpoolDir %INSTALLDIR%/var/spool/nxlog
define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%/*.conf
LogLevel INFO
LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Input windows_events>
Module im_wseventing
Address http://linux-wec.abc.local:80/wsman/
ListenAddr 0.0.0.0
Port 80
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
# Log connections for testing and troubleshooting
LogConnections TRUE
</Input>
<Output file>
Module om_file
File "%LOGDIR%/windows.log"
</Output>
<Route uds_to_file>
Path windows_events => file
</Route>
Extra Info:
Server=HTTP://linux-wec.abc.local:80/wsman/,Refresh=30
You don't have the correct principal name.
The error message says that it is looking for an HTTP/… principal, which seems correct (both the service part and the hostname part), but your keytab has http/… according to what you say in the comment. These are not the same – only Windows servers (and AD DCs) treat them as the same, but other Kerberos implementations are actually case-sensitive. The HTTP service needs to be upper-case while most other service types are lower-case.
The other entry, hosts/, has a bogus service name. Most "general-purpose login" services like SSH, Telnet, etc. use host but nothing that I know of uses hosts.
As a temporary workaround, the "ignore acceptor name" server-side krb5.conf option could be used to have the service try to validate tickets against all entries in its keytab even if the name doesn't match.
(Ideally these two entries should be in different keytabs, with the KRB5_KTNAME= environment variable used to specify the keytab if the service doesn't have its own option for that – that way the HTTP keytab could have its file permissions separate from the machine keytab.)