000034215 - Error message "The array bounds are invalid" reported for Windows 2008 R2 and Windows 2012 R2 with WinRM in RSA Security Analytics

Document created by RSA Customer Support Employee on May 5, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034215
Applies ToRSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5 and above
IssueWindows Collection completely stops when the error similar to the example below. is reported in the /var/log/messages file.

[WindowsCollection] [failure] [WINR2.X_X_X_X] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source X.X.X.X:
Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid.  Fault Detail : Windows Event Forward Plugin failed
to read events.
Oct  5 13:57:52 RSALD NwLogCollector[3241]: [WindowsCollection] [warning] [WINR2.X_X_X_X] [processing] [WorkUnit] [processing] Unable to
cancel existing subscription for Windows event source: Fault Code : s:Receiver Subcode : w:InternalError Reason : Element not found.  
Fault Detail : The WS-Management service could not identify the subscription context ID in the SOAP packet that was received.
The packet may have been invalid, or the operation may have timed out.
CauseThis is solely a Windows-related issue.  Microsoft is aware of this and RSA Engineering is in contact with Microsoft to resolve the issue. According to Microsoft, RPC is having an issue with chunks of windows events over 2MB.
WorkaroundFiltering out the following EventIDs in the Channel field may stop the issue occurring:

System^(101|201), Security^(4672|4776|4768|4769|5447), Application^(211|300), ForwardedEvents^(101|201|4672|4776|4768|4769|5447|211|300)

User-added image