RSA enVision^® Discussions

RSAAdmin · ‎2013-05-29

Hi there,

I have a problem: Windows Events Collesting suddenly stopped on some W2k8 R2 servers.

Configuration:

RSA enVision v 4.0 SP7 with latest enVision Event Source Update #56 - agentless collecting from 8 W2k8 servers via Windows Eventing Collector Service. From year 2011 everything worked fine, but cca 1 month ago Windows Events Collesting suddenly stopped on 3 of 8 W2k8 R2 servers. Maybe it has something to do with recent Apache Web Server upgrade to ver 2.2.22 on these servers ? Problematic servers are 10.14.11.11, 10.14.13.11 and 10.14.21.11.

I did some diagnosting with wineventsvc –v++ and here is fragment of output:

[12:52:16] WinRM interaction: Endpoint=http://10.14.13.11:5985/wsman, Action=Pull, Resource=Win32_AccountSID, Time=00:00:00.093750, Success=Yes

[12:52:16] Event normalization failure: Reason=XML parsing errors.

[12:52:16] WinRM interaction: Endpoint=http://10.14.21.11:5985/wsman, Action=Pull, Resource=EventLog, Time=00:00:00.140625, Success=No

[12:52:16] WinRM interaction: Endpoint=http://10.14.21.11:5985/wsman, Action=Unsubscribe, Resource=EventLog, Time=00:00:00, Success=Yes

[12:52:16] Event normalization failure: Reason=XML parsing errors.

[12:52:16] Event source trace: EventSource=10_14_21_11, Status=Completed, Time=00:00:00.546875, Success=Yes, EventCount=0

[12:52:16] WinRM interaction: Endpoint=http://10.14.11.11:5985/wsman, Action=Pull, Resource=EventLog, Time=00:00:00.140625, Success=No

[12:52:16] Event source trace: EventSource=10_14_21_11, Status=Sleeping, SleepForSeconds=300, ScheduleDetails=State:0 Errors:0 ErrorThreshold:10 Interval:300 DisableInterval:86400 UnresponsiveInterval:3600 Adaptive:no

[12:52:16] WinRM interaction: Endpoint=http://10.14.11.11:5985/wsman, Action=Unsubscribe, Resource=EventLog, Time=00:00:00.015625, Success=Yes

[12:52:16] Event source trace: EventSource=10_14_11_11, Status=Completed, Time=00:00:00.578125, Success=Yes, EventCount=0

[12:52:16] Event source trace: EventSource=10_14_11_11, Status=Sleeping, SleepForSeconds=300, ScheduleDetails=State:0 Errors:0 ErrorThreshold:10 Interval:300 DisableInterval:86400 UnresponsiveInterval:3600 Adaptive:no

[12:52:16] Event normalization failure: Reason=XML parsing errors.

[12:52:16] WinRM interaction: Endpoint=http://10.14.13.11:5985/wsman, Action=Pull, Resource=EventLog, Time=00:00:00.156250, Success=No

[12:52:16] WinRM interaction: Endpoint=http://10.14.13.11:5985/wsman, Action=Unsubscribe, Resource=EventLog, Time=00:00:00.015625, Success=Yes

[12:52:16] Event source trace: EventSource=10_14_13_11, Status=Completed, Time=00:00:00.640625, Success=Yes, EventCount=0

[12:52:16] Event source trace: EventSource=10_14_13_11, Status=Sleeping, SleepForSeconds=300, ScheduleDetails=State:0 Errors:0 ErrorThreshold:10 Interval:300 DisableInterval:86400 UnresponsiveInterval:3600 Adaptive:no

I noticed Event normalization failure: Reason=XML parsing errors followed by Action=Pull, Resource=EventLog, Time=00:00:00.XXXXXXX, Success=No.

Any idea what to do ?

Thanks for advice.

Regards, Martin.

RSAAdmin · ‎2013-05-31

I've managed to solve this problem. Maybe it will help someone. Here's the solution:

In my case problematic was Security channel on all three affected servers. Maybe some malformed events there ? So I raised bookmarks for Security channel in steps of 10 (via wineventbookmark.exe) and watched status with wineventsvc.exe -v++ . After increasing bookmarks about 30-50 XML parse errors dissapeared and collecting is working again.

mrbeanus · ‎2013-06-21

Hi

We had same problem and RSA made a fix for us, another release for Windows collector.

Case was resolved after about 1 year investigation.... problem was with some characters in events some non-ascii characters...

RSA enVision® Discussions

Windows Events Collesting suddenly stopped on some W2k8 R2 servers

RSA enVision^® Discussions