Windows Event Forward Plugin failed to read events
Hi I had integrated one MS Windows Server 2008 machine via winrm method.
Now what the issue I had noticed with this machine is that it's giving an error and the loging of this machine gets stopped after some certain minutes.
The error I had seen on the Log Collector is:
[WINTRDABFVBC.172_20_29_29] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source 172.20.1.3: Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid. Fault Detail : Windows Event Forward Plugin failed to read events.
Then I found one solution to fix this. Below is the solution which I applied. The solution helped me and then the logs started coming from the same machine.
But after 1 week the problem re-exists and again I'm getting the same error message for the MS Windows machine.
To check the current limit , Log on to the machine configured with WinRM and get the cmd line result of : wevtutil gl Security
Here we are looking for the "maxSize"
In the Group Policy Management Editor, expand Computer Configuration > Policies >
Administrative Templates > Windows Component.
Edit Maximum log Size : Enabled , and increase the size to 40480 , Apply
On the powershell of the machine, Apply a GPO force update
Repeat step 1 to see if this took effect
Try and readd the Collection and Monitor to see if this workaround works.
Does any know how to resolve this and permanently fix this issue.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
- windows event forward plugin failed
There is also the following Microsoft KB article that describes a released fix (Microsoft won't fix it for 2008 or base 2012, so customers would have to make sure the forwarding system is minimum Windows 2012 R2):
The above Microsoft link mentions the below is fixed,
- Addresses issue in which servers are configured to push their security event logs to a central server for analysis through a subscription. WinRM event query returns error "0x6c6 (RPC_S_INVALID_BOUND)" from the target server.