Heartbeat another agent with "Access is Denied" and SNMP not correctly resolving according to MIBs

edited October 2014 in General
Dear All,

I have been trying to setup Event Sentry light to heartbeat another agent.
It works when I heartbeat using just the IP, but when I try to use "monitor Event Sentry Agent",
I keep getting emails complaining an "Access is denied" error.

In addition, I also tried setting up SNMP to receive traps from my network equipment.
It seems Event Sentry lacks the basic MIBs? I have a Fortigate 60D and a Dlink Switch, I downloaded the MIBs from the Fortinet Web site and imported them to Event Sentry.
I have restarted the Event Sentry but when I receive traps they are still in their raw form.

Would anyone please kindly lend a hand. Your help is highly appreciated.

Thanks and Regards,
Lok

Comments

  • Hi Lok,

    If you open "Services.msc" on the EventSentry management console machine, and locate the "EventSentry Heartbeat Service" is that service running as the "Local System" account or a domain administrator account? If it's running as the "Local System" account that account doesn't have permissions to query the service on remote machines, so you will have to change that to an account such as a domain administrator that has permissions:

    http://www.eventsentry.com/kb/41

    If these computers aren't on the domain and you've set authentication you should look at this KB:

    http://www.eventsentry.com/kb/216

    For you SNMP question, what MIB(s) do you have installed? Do you just have the MIB(s) for the Fortigate 60D and the DLink switch? Or do you have others? Do you have an example of one of the traps you've received that is just the raw data?

    Steven
  • Hi Steven,

    Thank you so much for your comment.

    For the "Access is Denied" problem, I have followed your provided instructions but with regret it only solves half of the problem.
    I am not using any domain and thus I don't have any domain account.
    In my setup, I have two servers, A and B, each with a default Windows Administrator account "Administrator" and a manually created administrator account "compadmin", they all have the same password.
    Server A and B each have ES light installed and they monitor each other in their heartbeat options.
    If I login server A as "Administrator" and set the heartbeat service to logon as "Administrator" I can successfully eliminate the error.
    However, when I login server A as either "Administrator" or "compadmin" and set the heartbeat service to logon as "compadmin" I still get the "Access is Denied" error.
    I noticed that when I set any account to log on as in the service.msc, it will automatically be added to the User Right Policy "Allow log on as a services".
    Given that the default admin worked and the newly created admin didn't, may I know whether there are other User Rights Assignment that is needed for the account to work please?

    As for the SNMP, I noticed that there are some default MIBs that came with ES.
    As I can't find the official MIBs for the DLink Switch I have enabled some random MIBs from the default library and hope I can catch some common ones. As for the fortigate 60D, I downloaded the MIBs from the device, they are FORTINET-CORE-MIB.mib and FORTINET-FORTIGATE-MIB.mib
    ref:http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/snmp_setup.html

    One of the traps I used to test is the "config change" trap, the content received is as follows:
    A SNMP trap was received:

    Version: 2
    Community: private
    Trap Sender: 192.168.30.218
    Trap ID: iso.org.dod.internet.mgmt.mib-2.47.2.6.1 (1.3.6.1.2.1.47.2.0.1)

    Trap Bindings:


    A D-Link trap is also attached below for your reference please:
    A SNMP trap was received:

    Version: 2
    Community: private
    Trap Sender: 192.168.30.217
    Trap ID: iso.org.dod.internet.snmpV2.snmpModules.snmpMIB.snmpMIBObjects.snmpTraps.linkUp (1.3.6.1.6.3.1.1.5.4)

    Trap Bindings:
    1: iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifIndex.1 (1.3.6.1.2.1.2.2.1.1.1) = 1
    2: iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifAdminStatus.1 (1.3.6.1.2.1.2.2.1.7.1) = 1
    3: iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus.1 (1.3.6.1.2.1.2.2.1.8.1) = 1
    --

    Thank you for your time and effort.

    Thanks and Regards,
    Lok
  • Hi Lok,

    You mentioned that starting the management console as "Administrator" worked (when the HB Agent ran under the same account), is there any reason not to use this setup, considering it works?

    Did you assign any authentication to server b in the management console?

    The prerequisites are pretty straight-forward as long as the user account you use a member of the local administrators group.

    In order to use the compadmin account, I would do the following:

    1. On serverA, log in as "compadmin" and launch the management console
    2. Select the computer group and do a "Check Status". Is the status of the remote agent reported correctly?
    3. If it is not, right-click serverB and assign credentials to it with "Set Authentication". Enter valid credentials for serverB and repeat step 2. Does it work now?
    4. If it doesn't work, then you can try to use the "Administrator" account on serverB since that seems to work.
    5. If it works, then you can save the configuration, and re-configure the EventSentry Heartbeat Service to run under the compadmin account - it should work now.

    You can ignore the messages about the "Logon as a service" privilege. This is just a privilege which Windows automatically adds to a user account if it is being used by a service for the first time.

    Please let us know if that helps. We'll get back to you on the SNMP issues.

    Can you send us a list of all the MIBs you have currently loaded in EventSentry? You can save the config as HTML to easily copy/paste that information.
  • Hi Ingmar,

    The "Administrator" account will be disabled by default in the final configuration, currently I can use it for testing.

    I tried both assigning and not assigning any authentication to server b and both didn't work when using "compadmin" (while when using "Administrator" I didn't have to assign any authentication, just simply run the heartbeat service as "Administrator" and the error would go away)

    I have double checked and the account "compadmin" is a member of the Administrator group and the credentials are identical on both machines.

    As for your procedures:
    Answer to 2.: no, it reported access is denied (also already changed the logon to use "compadmin" instead of "Administrator")
    Answer to 3.: Followed the steps but still the same error
    Answer to 4.: Using "Administrator" when setting authentication seemed to work
    Answer to 5.: Using "Administrator" for authentication and running the service as "compadmin" does not work, still gives out "Access is denied" error. In addition, as the "Administrator" account will be disabled, I would hope to not involve this account in the configuration at all.

    Please see below for the MIBs enabled, sorry for the long list I was trying to randomly hit the ones that are applicable to the D-Link switch, but you can see a series of Fortigate/Net MIBs were enabled as well (I have been trying different versions as well):

    MIB(s):
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1213-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1155-SMI.mib
    C:\Program Files (x86)\EventSentryLight\mibs\SNMPv2-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\NET-SNMP-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\EventSentryV2cV3.mib
    C:\Program Files (x86)\EventSentryLight\mibs\FORTINET-CORE-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\FORTINET-FORTIGATE-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\FORTINET-FORTIGATE-MIB1.mib
    C:\Program Files (x86)\EventSentryLight\mibs\FORTINET-FORTIGATE-MIB2.mib
    C:\Program Files (x86)\EventSentryLight\mibs\FORTINET-FORTIGATE-MIB3.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1066-MIB-INTERPRETATION.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1155-SMI.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1213-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC-1215.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1215-TRAP.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1229-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1230-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1231-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1232-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1233-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1243-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1248-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1252-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1253-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1269-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1271-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1284-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1285-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1286-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1304-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1315-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1316-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1317-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1318-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1353-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1354-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1381-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1382-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1389-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1398-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1406-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1407-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1414-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RFC1759-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\RIPv2-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\SNMPv2-M2M-MIB.mib
    C:\Program Files (x86)\EventSentryLight\mibs\SNMPv2-MIB.mib

    I would like to thank you for your reply and I would be grateful if you could further help on this issue.
    Thank you very much for your time and effort.

    Regards,
    Lok
  • edited October 2014
    Hello Lok,

    Based on the information you provided this should definitely work. Can you contact us via this link so that we can investigate this further?
    http://www.eventsentry.com/support/request
  • Hi Erica,

    Thanks for your reply, I have just logged a support request (Case 27555).
    However, as advised by your staff before, please kindly note that I am using the Event Sentry light version and is not eligible for support.
    Grateful if you could shed some light on the issues.

    Thank you for your help.

    Regards,
    Lok
Sign In or Register to comment.