|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Log Collector
Platform: Windows Server (WinRM)
O/S Version: Windows Server 2008 R2, Windows Server 2012 R2
|Issue||Some security events are not being collected from a Windows Server 2008 R2 or Windows Server 2012 R2 host due to parsing issues caused by a malformed event XML.|
When the issue occurs, the /var/log/messages file reports a failure similar to the example below.
Sep 11 11:00:32 localhost nw: [WindowsCollection] [failure] [Win2k8R2] Error retrieving SOAP message due to malformed event XML from the server.
|Cause||This issue occurs due to a known Microsoft issue in which the Audit event ID 4661 triggers an XML error in a Windows Server 2012 R2 or Windows Server 2008 environment. |
This issue is caused because Security Audit 4661 contains an invalid value in the Privileges field. This corrupts the transaction, resulting in the error and preventing the Log Collector from properly consuming the events.
|Resolution||The issue can be rectified by applying the appropriate hotfix found in the Microsoft Knowledgebase Article 2956014.|