Discussion:
ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED).
Jay Kay
2012-03-29 15:04:32 UTC
Permalink
Jay Kay [http://community.zenoss.org/people/jcc2186] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/65612#65612

--------------------------------------------------------------
Hi All, 

I am hitting a brick wall with this too, was there ever a solution to this? I am trying to monitor a server 2003 machine and I have tried this with a local admin account on it and a domain admin account as well (Both local and on the somain).  I have followed the guides on adding the CIMV2 security for these 2 accounts on: wmimgmt.msc & dcomconfig.  I even went ahead and granted Full read, write and execute permissions for these two (for testing of course) but it didnt help. 

I turned off the firewall on the windows system and still no go.  I also went ahead and ran:

sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
From Start- Run - CMD (As administrator) and still no go.
wmic -U 'domain\user' //hostname 'SELECT Message FROM Win32_NTLogEvent WHERE LogFile="Application"'
wmic -U 'domain\user' //hostname 'SELECT Message FROM Win32_NTLogEvent WHERE LogFile="Internet Explorer"'
wmic -U 'domain\user' //hostname 'SELECT Message FROM Win32_NTLogEvent WHERE LogFile="Security"'
wmic -U 'domain\user' //hostname 'SELECT Message FROM Win32_NTLogEvent WHERE LogFile="System"'

And the commands return every single log in the machine, but there is still an alert going off on the Zenoss GUI interface telling me:

Here is the error message I get in my zeneventlog as well as the Zenoss web GUI for this server:
2012-03-29 10:42:41,174 ERROR zen.zeneventlog: Unable to scan device 192.168.6.22: NT_STATUS_ACCESS_DENIED

Any help would be greatly appreciated.

Regards,

-Juan
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65612#65612]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Simon Jakesch
2012-03-29 17:26:30 UTC
Permalink
Simon Jakesch [http://community.zenoss.org/people/simon] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/65617#65617

--------------------------------------------------------------
Jay,

given that you are using a local admin user for your authentication. I am wondering what //hostname resolves to? There is a possibility of the RPC handshake going wrong and therefore the communication never taking place successfully (see http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/99c278fe-df63-408b-b5b1-b95554b6b630/ http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/99c278fe-df63-408b-b5b1-b95554b6b630/)

Simon
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65617#65617]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jay Kay
2012-03-29 17:31:43 UTC
Permalink
Jay Kay [http://community.zenoss.org/people/jcc2186] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/65618#65618

--------------------------------------------------------------
Hey Simon,

That would make sense, but in this case I dont think it applies.  The machines (both zenoss server and the ToBeMonitored win2k3 mahcine) are in the same network segment.  if I do a dns resolution of that hostname, it comes back with the correct IP.  Same thing goes for the reverse-lookup. 

Thanks for the help.  If you have any other clues, please let me know.

Regards,
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65618#65618]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Robert Booth
2012-04-01 02:39:57 UTC
Permalink
Robert Booth [http://community.zenoss.org/people/rbooth] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/65670#65670

--------------------------------------------------------------
Jay,

Try running the same WMI command with the IP address instead of hostname.

If you get the same successful result, check out the event logs for any failures to connect.

If you see nothing in the event logs try getting a network capture on the Windows server side with Wireshark if you can or Windows NetMon. That should provide a little more information to what exactly is happening and where.

-Rob
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65670#65670]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Jay Kay
2012-04-06 17:20:14 UTC
Permalink
Jay Kay [http://community.zenoss.org/people/jcc2186] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/65751#65751

--------------------------------------------------------------
Thanks Robert,

That is a great idea, I will try it with this server, although this may be a firewall realted issue as we are using old local sygate installation for firewall filtering.

Thanks much!
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65751#65751]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Doug Syer
2012-04-08 02:14:21 UTC
Permalink
Doug Syer [http://community.zenoss.org/people/dsyer%40nwnit.com] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/65752#65752

--------------------------------------------------------------
I'm seeing the same issue, its mostly 2008 issues.  It looks like UAC issues.  What has worked so far is to add the zenoss user into the distributed dcom group (if it isnt a domain controller) or go into the dcom program and give the user access (if it is a domain controller).

then, restart the WMI service. I also suspect a windows bug on some of the servers I've seen, especially pre-SP1 2008 R2 servers.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65752#65752]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Chris Smith
2013-09-30 18:59:41 UTC
Permalink
Chris Smith [http://community.zenoss.org/people/csmith] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/74792#74792

--------------------------------------------------------------
I had really hoped Doug's suggestion above would work but adding my ZenAdmin (Admin Account) to the DCOM group did not resolve the problem. I recently built 4 Windows 2008 servers and added them to Zenoss. Only one of them is having this issue where Zenoss is getting NT_STATUS_ACCESS_DENIED everytime it tries to connect via WMI.

I can connect to this server with the same credentials that are in zWinUser and zWinPassword over RDP and through the WMI test tool (wbemtest.exe). Oddly enough the error that is logged in the Security event log on the server states "Unknown user name or bad password". Any ideas? I've been banging my head against this wall for several hours.

Event log entry:



"An account failed to log on.


Subject:
          Security ID:                    NULL SID
          Account Name:                    -
          Account Domain:                    -
          Logon ID:                    0x0


Logon Type:                              3


Account For Which Logon Failed:
          Security ID:                    NULL SID
          Account Name:                    zenadmin
          Account Domain:                    WORKGROUP


Failure Information:
          Failure Reason:                    Unknown user name or bad password.
          Status:                              0xc000006d
          Sub Status:                    0xc000006a


Process Information:
          Caller Process ID:          0x0
          Caller Process Name:          -


Network Information:
          Workstation Name:          NA-DEN-ZEN-01
          Source Network Address:          68.177.51.51
          Source Port:                    56545


Detailed Authentication Information:
          Logon Process:                    NtLmSsp
          Authentication Package:          NTLM
          Transited Services:          -
          Package Name (NTLM only):          -
          Key Length:                    0


This event is generated when a logon request fails. It is generated on the computer where access was attempted.


The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.


The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).


The Process Information fields indicate which account and process on the system requested the logon.


The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.


The authentication information fields provide detailed information about this specific logon request.
          - Transited services indicate which intermediate services have participated in this logon request.
          - Package name indicates which sub-protocol was used among the NTLM protocols.
          - Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74792#74792]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Chris Smith
2013-09-30 19:56:08 UTC
Permalink
Chris Smith [http://community.zenoss.org/people/csmith] created the discussion

"Re: ZenEventlog: Could not read the Windows event log (NT_STATUS_ACCESS_DENIED)."

To view the discussion, visit: http://community.zenoss.org/message/74793#74793

--------------------------------------------------------------
Fixed my WMI issue...this turned out to be a weird setting that was applied when doing security lockdown. I think it was applied incorrectly. I found this by comparing local security policy between a server that was working and this server that wasn't.

I found under Local Security Policy > Local Policies > Security Options > Network security:


LAN Manager authentication level was set to Send NTLMv2 response only. Refuse LM & NTLM. Once I matched my other server and changed it to Send NTLMv2 response only Zenoss could login correctly.


No idea why this did it but I'm glad it's working finally.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/74793#74793]

Start a new discussion in zenoss-users at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]
Loading...