000033184 - Unrecognized characters in syslog payload not allowing alerts to be processed in RSA Security Operations Management

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033184
Applies ToRSA Product Set: Security Management
RSA Product/Service Type: SecOps
RSA Version/Condition: 1.3
IssueHexadecimal characters in the syslog payload are not being processed by middleware.
Cause
<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
  <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
    <EventID>0</EventID>
    <Type>3</Type>
    <SubType Name="Error">0</SubType>
    <Level>2</Level>
    <TimeCreated SystemTime="2016-04-21T20:22:35.1718278Z" />
    <Source Name="Archer.NET" />
    <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
    <Execution ProcessName="w3wp" ProcessID="3480" ThreadID="138" />
    <AssemblyVersion>6.0.0.1470</AssemblyVersion>
    <Channel />
    <Computer>XXXXXXXXX</Computer>
  </System>
  <ApplicationData>
    <TraceData>
      <DataItem>
        <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
        <TraceIdentifier>Archer.NET</TraceIdentifier>
        <Description>Server was unable to read request.</Description>
        <AppDomain>/LM/W3SVC/1/ROOT-1-131057185801591970</AppDomain>
        <Exception>
          <ExceptionType>System.Web.Services.Protocols.SoapException, System.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a</ExceptionType>
          <Message>Server was unable to read request.</Message>
          <Source>System.Web.Services</Source>
          <StackTrace> at System.Web.Services.Protocols.SoapServerProtocol.ReadParameters() at System.Web.Services.Protocols.WebServiceHandler.CoreProcessRequest()</StackTrace>
          <InnerException>
            <ExceptionType>System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
            <Message>There is an error in XML document (1, 1237).</Message>
            <Source>System.Xml</Source>
            <StackTrace> at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle)
at System.Web.Services.Protocols.SoapServerProtocol.ReadParameters()</StackTrace>
            <InnerException>
              <ExceptionType>System.Xml.XmlException, System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
              <Message>'.', hexadecimal value 0x00, is an invalid character. Line 1, position 1237.</Message>
              <Source>System.Xml</Source>
              <StackTrace> at System.Xml.XmlTextReaderImpl.Throw(String res, String[] args)
at System.Xml.XmlTextReaderImpl.ParseText(Int32& startPos, Int32& endPos, Int32& outOrChars)
at System.Xml.XmlTextReaderImpl.ParseText()
at System.Xml.XmlTextReaderImpl.ParseElementContent()
at System.Web.Services.Protocols.SoapServerProtocol.SoapEnvelopeReader.Read()
at System.Xml.XmlReader.ReadElementString()
at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReader1.Read19_CreateRecords()
at Microsoft.Xml.Serialization.GeneratedAssembly.ArrayOfObjectSerializer36.Deserialize(XmlSerializationReader reader)
at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
              </StackTrace>
            </InnerException>
          </InnerException>
        </Exception>
      </TraceRecord>
    </DataItem>
  </TraceData>
 </ApplicationData>
</E2ETraceEvent>
ResolutionLong term fix is to upgrade to SecOps 1.3.1.
WorkaroundValidate that the source of syslog data is not outputting hexadecimal data.

Attachments

    Outcomes