|Applies To||RSA Product Set: NetWitness Logs & Network, Security Analytics|
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5 and above
|Issue||Windows Collection completely stops when the error similar to the example below. is reported in the /var/log/messages file.|
[WindowsCollection] [failure] [WINR2.X_X_X_X] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source X.X.X.X:
Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid. Fault Detail : Windows Event Forward Plugin failed
to read events.
Oct 5 13:57:52 RSALD NwLogCollector: [WindowsCollection] [warning] [WINR2.X_X_X_X] [processing] [WorkUnit] [processing] Unable to
cancel existing subscription for Windows event source: Fault Code : s:Receiver Subcode : w:InternalError Reason : Element not found.
Fault Detail : The WS-Management service could not identify the subscription context ID in the SOAP packet that was received.
The packet may have been invalid, or the operation may have timed out.
|Cause||This is solely a Windows-related issue. Microsoft is aware of this and RSA Engineering is in contact with Microsoft to resolve the issue. According to Microsoft, RPC is having an issue with chunks of windows events over 2MB.|
|Workaround||Filtering out the following EventIDs in the Channel field may stop the issue occurring:|
System^(101|201), Security^(4672|4776|4768|4769|5447), Application^(211|300), ForwardedEvents^(101|201|4672|4776|4768|4769|5447|211|300)