Currently I am working on using nxlog to collect windows event logs to my Ubuntu 22 desktop using Kerberos Authentication approach.
I have prepared three virtual machines to achieve the event collecting. A Windows 10 acts as the WEC Client, a Ubuntu desktop acts as the WEC Server with hostname linux-wec, and an Active Directory (Windows Server 2019) with hostname ADSERVER to handle the Domain and DNS Server related tasks. These devices are able to ping each and other.
I have followed all the steps (including the configuration for WEC Client to send events to NXlog), but encountering a problem at "Configure Kerberos on the WEC server" Step 7, I run the command and restart the nxlog service. In the nxlog.log, after the connection is established between WEC Server and WEC Client, it included this error:
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: major code: 851968, msg: Unspecified GSS failure. Minor code may provide more information
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: minor code: -1765328349, msg: Request ticket server HTTP/linux-wec.abc.local@ABC.LOCAL not found in keytab (ticket kvno 7)
Any idea or suggestion on this? I have spent few days still cannot find a solution. I tried to change the encryption method, reinvoke the ticket, redo everything still getting this error.
krb5.conf
[libdefaults]
default_realm = ABC.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ABC.LOCAL = {
kdc = ADSERVER.abc.local
admin_server = ADSERVER.abc.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.abc.local = ABC.LOCAL
abc.local = ABC.LOCAL
nxlog.conf
User nxlog
Group nxlog
Panic Soft
# default values:
define INSTALLDIR /opt/nxlog
# PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid
# CacheDir %INSTALLDIR%/var/spool/nxlog
# ModuleDir %INSTALLDIR%/lib/nxlog/modules
# SpoolDir %INSTALLDIR%/var/spool/nxlog
define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%/*.conf
LogLevel INFO
LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Input windows_events>
Module im_wseventing
Address http://linux-wec.abc.local:80/wsman/
ListenAddr 0.0.0.0
Port 80
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
# Log connections for testing and troubleshooting
LogConnections TRUE
</Input>
<Output file>
Module om_file
File "%LOGDIR%/windows.log"
</Output>
<Route uds_to_file>
Path windows_events => file
</Route>
Extra Info:
Server=HTTP://linux-wec.abc.local:80/wsman/,Refresh=30
After a few days of retrying and researching, and thanks to grawity_u1686 advice. I managed to solve the problem.
The problem is that in my AD Server, Active Directory Users and Computers > abc.local > Users
. In the Account tab from the Properties of my linux user record (linux-wec), the User logon name holds the value of HTTP/linux-wec.abc.local
, indicating that the principal used should be HTTP
, not http
. By recreating the keytab with HTTP
principal, my NXLog managed to work normally.
Help appreciated with thanks.