NXlog im_wseventing Request ticket server HTTP/domain@REALM not found in keytab
Currently I am working on using nxlog to collect windows event logs to my Ubuntu 22 desktop using Kerberos Authentication approach.
I have prepared three virtual machines to achieve the event collecting. A Windows 10 acts as the WEC Client, a Ubuntu desktop acts as the WEC Server with hostname linux-wec, and an Active Directory (Windows Server 2019) with hostname ADSERVER to handle the Domain and DNS Server related tasks. These devices are able to ping each and other.
I have followed all the steps (including the configuration for WEC Client to send events to NXlog), but encountering a problem at "Configure Kerberos on the WEC server" Step 7, I run the command and restart the nxlog service. In the nxlog.log, after the connection is established between WEC Server and WEC Client, it included this error:
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: major code: 851968, msg: Unspecified GSS failure. Minor code may provide more information
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: minor code: -1765328349, msg: Request ticket server HTTP/[email protected] not found in keytab (ticket kvno 7)
Any idea or suggestion on this? I have spent few days still cannot find a solution. I tried to change the encryption method, reinvoke the ticket, redo everything still getting this error.
krb5.conf
[libdefaults]
default_realm = ABC.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ABC.LOCAL = {
kdc = ADSERVER.abc.local
admin_server = ADSERVER.abc.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp
admin_server = kerberos.ihtfp
}
1TS.ORG = {
kdc = kerberos.1ts
admin_server = kerberos.1ts
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix
kdc = kerberos2.dementix
admin_server = kerberos.dementix
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.abc.local = ABC.LOCAL
abc.local = ABC.LOCAL
nxlog.conf
User nxlog
Group nxlog
Panic Soft
# default values:
define INSTALLDIR /opt/nxlog
# PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid
# CacheDir %INSTALLDIR%/var/spool/nxlog
# ModuleDir %INSTALLDIR%/lib/nxlog/modules
# SpoolDir %INSTALLDIR%/var/spool/nxlog
define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%/*.conf
LogLevel INFO
LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Input windows_events>
Module im_wseventing
Address :80/wsman/
ListenAddr 0.0.0.0
Port 80
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
# Log connections for testing and troubleshooting
LogConnections TRUE
</Input>
<Output file>
Module om_file
File "%LOGDIR%/windows.log"
</Output>
<Route uds_to_file>
Path windows_events => file
</Route>
Extra Info:
- ADSERVER and WEC Client are included in the abc.local domain.
- I have created a reverse lookup zone when I create a DNS record for linux-wec.
- I have created an account in the ADSERVER's Active Directory Users and Computers > abc.local > Users for linux-wec as guided by the link above.
- In WEC Client gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager, I have enabled the setting and in the Options (Show... button), I entered this as the value:
Server=HTTP://linux-wec.abc.local:80/wsman/,Refresh=30
NXlog im_wseventing Request ticket server HTTP/domain@REALM not found in keytab
Currently I am working on using nxlog to collect windows event logs to my Ubuntu 22 desktop using Kerberos Authentication approach.
I have prepared three virtual machines to achieve the event collecting. A Windows 10 acts as the WEC Client, a Ubuntu desktop acts as the WEC Server with hostname linux-wec, and an Active Directory (Windows Server 2019) with hostname ADSERVER to handle the Domain and DNS Server related tasks. These devices are able to ping each and other.
I have followed all the steps (including the configuration for WEC Client to send events to NXlog), but encountering a problem at "Configure Kerberos on the WEC server" Step 7, I run the command and restart the nxlog service. In the nxlog.log, after the connection is established between WEC Server and WEC Client, it included this error:
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: major code: 851968, msg: Unspecified GSS failure. Minor code may provide more information
ERROR [im_wseventing|windows_events] GSS-API error gss_accept_sec_context - type: minor code: -1765328349, msg: Request ticket server HTTP/[email protected] not found in keytab (ticket kvno 7)
Any idea or suggestion on this? I have spent few days still cannot find a solution. I tried to change the encryption method, reinvoke the ticket, redo everything still getting this error.
krb5.conf
[libdefaults]
default_realm = ABC.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ABC.LOCAL = {
kdc = ADSERVER.abc.local
admin_server = ADSERVER.abc.local
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.
admin_server = kerberos.ihtfp.
}
1TS.ORG = {
kdc = kerberos.1ts.
admin_server = kerberos.1ts.
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.
kdc = kerberos2.dementix.
admin_server = kerberos.dementix.
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.abc.local = ABC.LOCAL
abc.local = ABC.LOCAL
nxlog.conf
User nxlog
Group nxlog
Panic Soft
# default values:
define INSTALLDIR /opt/nxlog
# PidFile %INSTALLDIR%/var/run/nxlog/nxlog.pid
# CacheDir %INSTALLDIR%/var/spool/nxlog
# ModuleDir %INSTALLDIR%/lib/nxlog/modules
# SpoolDir %INSTALLDIR%/var/spool/nxlog
define CERTDIR %INSTALLDIR%/var/lib/nxlog/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
# Note that these two lines define constants only; the log file location
# is ultimately set by the `LogFile` directive (see below). The
# `MYLOGFILE` define is also used to rotate the log file automatically
# (see the `_fileop` block).
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log
# If you are not using NXLog Manager, disable the `include` line
# and enable LogLevel and LogFile.
#include %CONFDIR%/*.conf
LogLevel INFO
LogFile %MYLOGFILE%
<Extension _syslog>
Module xm_syslog
</Extension>
# This block rotates `%MYLOGFILE%` on a schedule. Note that if `LogFile`
# is changed in managed.conf via NXLog Manager, rotation of the new
# file should also be configured there.
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
<Exec>
if ( file_exists('%MYLOGFILE%') and
(file_size('%MYLOGFILE%') >= 5M) )
{
file_cycle('%MYLOGFILE%', 8);
}
</Exec>
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
</Schedule>
</Extension>
<Input windows_events>
Module im_wseventing
Address http://linux-wec.abc.local:80/wsman/
ListenAddr 0.0.0.0
Port 80
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="Security">*</Select>
<Select Path="Setup">*</Select>
<Select Path="System">*</Select>
<Select Path="ForwardedEvents">*</Select>
<Select Path="Windows PowerShell">*</Select>
</Query>
</QueryList>
</QueryXML>
# Log connections for testing and troubleshooting
LogConnections TRUE
</Input>
<Output file>
Module om_file
File "%LOGDIR%/windows.log"
</Output>
<Route uds_to_file>
Path windows_events => file
</Route>
Extra Info:
- ADSERVER and WEC Client are included in the abc.local domain.
- I have created a reverse lookup zone when I create a DNS record for linux-wec.
- I have created an account in the ADSERVER's Active Directory Users and Computers > abc.local > Users for linux-wec as guided by the link above.
- In WEC Client gpedit.msc > Computer Configuration > Administrative Templates > Windows Components > Event Forwarding > Configure target Subscription Manager, I have enabled the setting and in the Options (Show... button), I entered this as the value:
Server=HTTP://linux-wec.abc.local:80/wsman/,Refresh=30
2 Answers
Reset to default 0You don't have the correct principal name.
The error message says that it is looking for an HTTP/… principal, which seems correct (both the service part and the hostname part), but your keytab has http/… according to what you say in the comment. These are not the same – only Windows servers (and AD DCs) treat them as the same, but other Kerberos implementations are actually case-sensitive. The HTTP service needs to be upper-case while most other service types are lower-case.
The other entry, hosts/, has a bogus service name. Most "general-purpose login" services like SSH, Telnet, etc. use host but nothing that I know of uses hosts.
As a temporary workaround, the "ignore acceptor name" server-side krb5.conf option could be used to have the service try to validate tickets against all entries in its keytab even if the name doesn't match.
(Ideally these two entries should be in different keytabs, with the KRB5_KTNAME= environment variable used to specify the keytab if the service doesn't have its own option for that – that way the HTTP keytab could have its file permissions separate from the machine keytab.)
After a few days of retrying and researching, and thanks to grawity_u1686 advice. I managed to solve the problem.
The problem is that in my AD Server, Active Directory Users and Computers > abc.local > Users. In the Account tab from the Properties of my linux user record (linux-wec), the User logon name holds the value of HTTP/linux-wec.abc.local, indicating that the principal used should be HTTP, not http. By recreating the keytab with HTTP principal, my NXLog managed to work normally.
Help appreciated with thanks.
klist -k -t <path_to_keytab>? – grawity_u1686 Commented Mar 27 at 5:21klist -k -t <path_to_keytab>has two entries, hosts and http principals.hosts/[email protected]andhttp/[email protected]This was the part I confused, everything is inside the keytab file but still saying cannot find. I have put the keytab file into the/etcdirectory, which alongside with my krb5.conf. – KLZ Canon Commented Mar 27 at 5:38