000029090 - RSA Security Analytics Log Collector is unable to collect some security events from Windows Server 2008 R2

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000029090
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector
Platform: Windows Server (WinRM)
O/S Version: Windows Server 2008 R2, Windows Server 2012 R2
IssueSome security events are not being collected from a Windows Server 2008 R2 or Windows Server 2012 R2 host due to parsing issues caused by a malformed event XML.
When the issue occurs, the /var/log/messages file reports a failure similar to the example below.
Sep 11 11:00:32 localhost nw[1442]: [WindowsCollection] [failure] [Win2k8R2] Error retrieving SOAP message due to malformed event XML from the server.
CauseThis issue occurs due to a known Microsoft issue in which the Audit event ID 4661 triggers an XML error in a Windows Server 2012 R2 or Windows Server 2008 environment. 
This issue is caused because Security Audit 4661 contains an invalid value in the Privileges field.  This corrupts the transaction, resulting in the error and preventing the Log Collector from properly consuming the events.
ResolutionThe issue can be rectified by applying the appropriate hotfix found in the Microsoft Knowledgebase Article 2956014.