IBM Support

WinCollect troubleshooting: The RPC server is unavailable. Error code 1722 (0x06BA)

Question & Answer


Question

How to troubleshoot RPC issues with my WinCollect agent?

Cause

About this issue
This error message is typically displayed when a remote machine being monitored is being rebooted or is simply not on the network anymore. If the WinCollect machine itself loses its network connection or cannot be discovered with DNS, then RPC server unavailable messages can be displayed in the error log. This error message might also be seen when the host being polled is installed in a virtual environment when virtual machines hibernate because they were set up with the default power management profile. As WinCollect agent cannot connect to the remote VM, then 1722 errors are generated.

The error message

<13>Apr 17 10:54:41 myhostname.com LEEF:1.0|IBM|WinCollect|7.2|4|src=myhostname.com dst=10.10.10.10 
sev=5 log=Device.WindowsLog.EventLogMonitor msg=Failed to open event log myhostname.com 
[myhostname.com:Security]; will try again in approx 60 seconds. 
Reason: Error code 1722: The RPC server is unavailable.

If the error is accompanied by “Interface not found” errors, it is likely that either the remote host is offline or hibernating in a VM environment.

The most common causes of the RPC server unavailable message

  1. You have WinCollect log sources that remotely poll for events from other Windows systems, but the remote host is unreachable.
  2. You have WinCollect log sources where the Local System check box is selected and the hostname does not resolve or the FQDN is used instead of the short form hostname in the Log Source Identifier field.
  3. If you have a cloud environment or network environment where the WinCollect log source cannot resolve the IP address, hostname, or a network device is blocking ports or traffic.
  4. Services are not started on the Windows host to collect events.

Answer

Solution 1. Is the log source configured with the correct IP address or host name in the Log Source Identifier

The Log Source Identifier field must use either an IP address or hostname. Do not use an FQDN, such as myhostname.domain.com in the Log Source Identifier field as a separate domain field in the log source configuration is used when remotely polling Windows systems. For example, \\myhostname.domain.com generates RPC error messages because the field expects the short form of the hostname or an IP address.

Supported Log Source Identifier values:

  • Hostname
  • IP address

Log Source Identifier values that generate RPC errors:
  • \\myhostname
  • myhostname.domain.com
    Note: myhostname.domain.com is acceptable in the case where the Local System check box is selected in the log source configuration.


Note: The agent must be configured to allow automatic updates to update the log source on the remote agent. The Configuration Polling Interval for the agent determines the frequency with which the agent requests log source and software updates from the Console. After you save your log source update to correct the Log Source Identifier field, you can click save, then wait for the configuration interval to expire, which will update the remote WinCollect agent.
Automatic updates must be true to receive log source configuration updates from the console.

Solution 2. Verify the status of the remote system

Is the remote system powered on, available on the network, or is the remote system hibernating?

Solution 3. Verify the RPC service is running on the remote system

If the WinCollect agent is logging errors, the administrator can verify that the services required by RPC are enabled on the remote system.

Procedure

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Services.
  3. In the Status column, the Remote Procedure Call (RPC) service must display Started.
  4. In the Status column, the Remote Registry service must display Started.

Solution 4. Verify the user in your log source includes the correct user right assignment

The user defined in your log source must include the ability to manage auditing and security log.

Procedure

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Local Security Policy.
  3. From the navigation menu, select Local Policies > User Rights Assignment.
  4. Right-click on Manage auditing and security log and select Properties.
  5. From the Local Security Setting tab, click Add User or Group to add your WinCollect user to the local security policy.

Log out of the Windows host and attempt to remotely poll the host for Windows events with your WinCollect log source.

If you cannot collect events for the WinCollect log source, you can verify your group policy does not override your local policy. You can also verify that the local firewall settings on the Windows host allow Remote Event Log Management.

Alternately, you can update your log source configuration with the Domain administrator credentials to determine whether your issue is due to account permissions. If Domain administrator credentials are also denied, then the issue might be network-related.

Solution 5. Verify you can open the event viewer on the remote system

If you are remotely polling another Windows host for events, you can try to remotely open the event viewer from the system running the WinCollect agent.

Procedure

  1. Log on to the Windows host that has the WinCollect agent locally installed.
  2. Select Start > Programs > Administrative Tools, and then click Event Viewer.
  3. Click Action > Connect to another computer.
  4. Select the Another computer option and type the IP address or host name of the server you want to remotely poll for events.
  5. Click the Connect as another user check box.
  6. Click Set User.
  7. In the User name field, type the domain\username for the user you specified in your log source configuration. For example, test.example.com\JohnDoe
  8. Type the password for the user and click OK.
     

What to do next
If you cannot remotely view the event viewer on the remote host, then an RPC Server is unavailable message is displayed. Administrators can run nslookup from the command line on the host name or IP address you specified. The nslookup should provide you with the host name you can use to try to remotely connect to the event viewer.

Procedure

  1. Click Start > Run, type cmd and press Enter.
  2. To verify the DNS entry for your computer, type the following command: 
    nslookup %computername%
  3. If the results return an unexpected IP address or name, then you might have to correct conflicting IP information your DNS server.
    Note: If you think this issue might be related to the DNS server and the location of the system, run nslookup with the address of the Active Directory server. To see the Active Directory server, type nslookup ad or nslookup ad.domain.name and compare the results.
  4. If the DNS server is not in your zone or if the lookup does not resolve correctly, use the Enable Active Directory Lookups check box.
  5. To specify a server to complete an Active Directory Lookup, type an IP address or FQDN of a domain controller in the Override Domain Name Controller field.
  6. To specify a server to complete the DNS Lookup for a host, type an IP address or FQDN of a domain controller in the Override DNS Domain Name field.

    Results
    If you successfully connected to the event viewer of the remote system, then you can verify that the log source configuration is correct and that the Log Source Identifier field contains the host name or FQDN used to connect to the event viewer of the remote system.

Solution 6. Verify required ports are open on the Windows host and that Remote Event Log Management is allowed

All firewalls located between the agent and the system that is being polled for events must allow communication on the ports defined in this section.

To verify the Windows Firewall allows Remote Event Log Management

  1. Log in to the remote system.
  2. Select Start > Programs > Administrative Tools, and then click Windows Firewall with Advanced Security.
  3. Click Inbound Rules.
  4. Verify that the Enabled column lists Yes for all of the Remote Event Log Management firewall rules.
    1. TCP port 135 Microsoft Endpoint Mapper
    2. UDP port 137 NetBIOS name service
    3. UDP port 138 NetBIOS datagram service
    4. TCP port 139 NetBIOS session service
    5. TCP port 445 Microsoft Directory Services for file transfers that use a Windows share

Note: To verify whether a port is listening, administrators can type the following command:

netstat -an | find "port#"

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtwAAA","label":"WinCollect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
21 February 2023

UID

swg21666403

Page Feedback