ubuntukerberosevent-lognxlog

NXlog Kerberos Principal not found in keytab


NXlog im_wseventing Request ticket server HTTP/domain@REALM not found in keytab

Currently I am working on using nxlog to collect windows event logs to my Ubuntu 22 desktop using Kerberos Authentication approach.

I have prepared three virtual machines to achieve the event collecting. A Windows 10 acts as the WEC Client, a Ubuntu desktop acts as the WEC Server with hostname linux-wec, and an Active Directory (Windows Server 2019) with hostname ADSERVER to handle the Domain and DNS Server related tasks. These devices are able to ping each and other.

I have followed all the steps (including the configuration for WEC Client to send events to NXlog), but encountering a problem at "Configure Kerberos on the WEC server" Step 7, I run the command and restart the nxlog service. In the nxlog.log, after the connection is established between WEC Server and WEC Client, it included this error:

ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: major code: 851968, msg: Unspecified GSS failure.  Minor code may provide more information

ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: minor code: -1765328349, msg: Request ticket server HTTP/linux-wec.abc.local@ABC.LOCAL not found in keytab (ticket kvno 7)

Any idea or suggestion on this? I have spent few days still cannot find a solution. I tried to change the encryption method, reinvoke the ticket, redo everything still getting this error.

krb5.conf

[libdefaults]
    default_realm = ABC.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
#   default_tgs_enctypes = des3-hmac-sha1
#   default_tkt_enctypes = des3-hmac-sha1
#   permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
    fcc-mit-ticketflags = true
[realms]
    ABC.LOCAL = {
        kdc = ADSERVER.abc.local
        admin_server = ADSERVER.abc.local
    }
    ATHENA.MIT.EDU = {
        kdc = kerberos.mit.edu
        kdc = kerberos-1.mit.edu
        kdc = kerberos-2.mit.edu:88
        admin_server = kerberos.mit.edu
        default_domain = mit.edu
    }
    ZONE.MIT.EDU = {
        kdc = casio.mit.edu
        kdc = seiko.mit.edu
        admin_server = casio.mit.edu
    }
    CSAIL.MIT.EDU = {
        admin_server = kerberos.csail.mit.edu
        default_domain = csail.mit.edu
    }
    IHTFP.ORG = {
        kdc = kerberos.ihtfp.org
        admin_server = kerberos.ihtfp.org
    }
    1TS.ORG = {
        kdc = kerberos.1ts.org
        admin_server = kerberos.1ts.org
    }
    ANDREW.CMU.EDU = {
        admin_server = kerberos.andrew.cmu.edu
        default_domain = andrew.cmu.edu
    }
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        }
    DEMENTIA.ORG = {
        kdc = kerberos.dementix.org
        kdc = kerberos2.dementix.org
        admin_server = kerberos.dementix.org
    }
    stanford.edu = {
        kdc = krb5auth1.stanford.edu
        kdc = krb5auth2.stanford.edu
        kdc = krb5auth3.stanford.edu
        master_kdc = krb5auth1.stanford.edu
        admin_server = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca
    }
[domain_realm]
    .mit.edu = ATHENA.MIT.EDU
    mit.edu = ATHENA.MIT.EDU
    .media.mit.edu = MEDIA-LAB.MIT.EDU
    media.mit.edu = MEDIA-LAB.MIT.EDU
    .csail.mit.edu = CSAIL.MIT.EDU
    csail.mit.edu = CSAIL.MIT.EDU
    .whoi.edu = ATHENA.MIT.EDU
    whoi.edu = ATHENA.MIT.EDU
    .stanford.edu = stanford.edu
    .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA
        .abc.local = ABC.LOCAL
        abc.local = ABC.LOCAL

nxlog.conf

User nxlog
Group nxlog
Panic Soft

# default values:
define INSTALLDIR /opt/nxlog
# PidFile   %INSTALLDIR%/var/run/nxlog/nxlog.pid
# CacheDir  %INSTALLDIR%/var/spool/nxlog
# ModuleDir %INSTALLDIR%/lib/nxlog/modules
# SpoolDir %INSTALLDIR%/var/spool/nxlog

define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d

# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log

# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%/*.conf
LogLevel    INFO
LogFile     %MYLOGFILE%

<Extension _syslog>
    Module  xm_syslog
</Extension>

# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
    Module  xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        <Exec>
            if ( file_exists('%MYLOGFILE%') and
                 (file_size('%MYLOGFILE%') >= 5M) )
            {
                 file_cycle('%MYLOGFILE%', 8);
            }
        </Exec>
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
    </Schedule>
</Extension>

<Input windows_events>
    Module              im_wseventing
    Address             http://linux-wec.abc.local:80/wsman/
    ListenAddr          0.0.0.0
    Port                80
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Application">*</Select>
                <Select Path="Security">*</Select>
                <Select Path="Setup">*</Select>
                <Select Path="System">*</Select>
                <Select Path="ForwardedEvents">*</Select>
                <Select Path="Windows PowerShell">*</Select>
            </Query>
        </QueryList>
    </QueryXML>

    # Log connections for testing and troubleshooting
    LogConnections      TRUE
</Input>

<Output file>
    Module  om_file
    File    "%LOGDIR%/windows.log"
</Output>

<Route uds_to_file>
    Path  windows_events => file
</Route>

Extra Info:

  1. ADSERVER and WEC Client are included in the abc.local domain.
  2. I have created a reverse lookup zone when I create a DNS record for linux-wec.
  3. I have created an account in the ADSERVER's Active Directory Users and Computers > abc.local > Users for linux-wec as guided by the link above.
  4. In WEC Client gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager, I have enabled the setting and in the Options (Show... button), I entered this as the value:
Server=HTTP://linux-wec.abc.local:80/wsman/,Refresh=30

Solution

  • After a few days of retrying and researching, and thanks to grawity_u1686 advice. I managed to solve the problem.

    The problem is that in my AD Server, Active Directory Users and Computers > abc.local > Users. In the Account tab from the Properties of my linux user record (linux-wec), the User logon name holds the value of HTTP/linux-wec.abc.local, indicating that the principal used should be HTTP, not http. By recreating the keytab with HTTP principal, my NXLog managed to work normally.

    Help appreciated with thanks.