RSA Admin

Windows Events Collesting suddenly stopped on some W2k8 R2 servers

Discussion created by RSA Admin Employee on May 29, 2013
Latest reply on Jun 21, 2013 by lperlak

Hi there,

 

I have a problem: Windows Events Collesting suddenly stopped on some W2k8 R2 servers.

 

Configuration:

 

RSA enVision v 4.0 SP7 with latest enVision Event Source Update #56 - agentless collecting from 8 W2k8 servers via Windows Eventing Collector Service. From year 2011 everything worked fine, but cca 1 month ago Windows Events Collesting suddenly stopped on 3 of 8 W2k8 R2 servers. Maybe it has something to do with recent Apache Web Server upgrade to ver 2.2.22 on these servers ? Problematic servers are 10.14.11.11, 10.14.13.11 and 10.14.21.11.

 

I did some diagnosting with wineventsvc –v++ and here is fragment of output:


[12:52:16] WinRM interaction:  Endpoint=http://10.14.13.11:5985/wsman, Action=Pull, Resource=Win32_AccountSID, Time=00:00:00.093750, Success=Yes

[12:52:16] Event normalization failure: Reason=XML parsing errors.

[12:52:16] WinRM interaction:  Endpoint=http://10.14.21.11:5985/wsman, Action=Pull, Resource=EventLog, Time=00:00:00.140625, Success=No

[12:52:16] WinRM interaction:  Endpoint=http://10.14.21.11:5985/wsman, Action=Unsubscribe, Resource=EventLog, Time=00:00:00, Success=Yes

[12:52:16] Event normalization failure: Reason=XML parsing errors.

[12:52:16] Event source trace: EventSource=10_14_21_11, Status=Completed, Time=00:00:00.546875, Success=Yes, EventCount=0

[12:52:16] WinRM interaction:  Endpoint=http://10.14.11.11:5985/wsman, Action=Pull, Resource=EventLog, Time=00:00:00.140625, Success=No

[12:52:16] Event source trace: EventSource=10_14_21_11, Status=Sleeping, SleepForSeconds=300, ScheduleDetails=State:0 Errors:0 ErrorThreshold:10 Interval:300 DisableInterval:86400 UnresponsiveInterval:3600 Adaptive:no

[12:52:16] WinRM interaction:  Endpoint=http://10.14.11.11:5985/wsman, Action=Unsubscribe, Resource=EventLog, Time=00:00:00.015625, Success=Yes

[12:52:16] Event source trace: EventSource=10_14_11_11, Status=Completed, Time=00:00:00.578125, Success=Yes, EventCount=0

[12:52:16] Event source trace: EventSource=10_14_11_11, Status=Sleeping, SleepForSeconds=300, ScheduleDetails=State:0 Errors:0 ErrorThreshold:10 Interval:300 DisableInterval:86400 UnresponsiveInterval:3600 Adaptive:no

[12:52:16] Event normalization failure: Reason=XML parsing errors.

[12:52:16] WinRM interaction:  Endpoint=http://10.14.13.11:5985/wsman, Action=Pull, Resource=EventLog, Time=00:00:00.156250, Success=No

[12:52:16] WinRM interaction:  Endpoint=http://10.14.13.11:5985/wsman, Action=Unsubscribe, Resource=EventLog, Time=00:00:00.015625, Success=Yes

[12:52:16] Event source trace: EventSource=10_14_13_11, Status=Completed, Time=00:00:00.640625, Success=Yes, EventCount=0

[12:52:16] Event source trace: EventSource=10_14_13_11, Status=Sleeping, SleepForSeconds=300, ScheduleDetails=State:0 Errors:0 ErrorThreshold:10 Interval:300 DisableInterval:86400 UnresponsiveInterval:3600 Adaptive:no

 

I noticed Event normalization failure: Reason=XML parsing errors followed by Action=Pull, Resource=EventLog, Time=00:00:00.XXXXXXX, Success=No.

 

Any idea what to do ?

 

Thanks for advice.

 

Regards, Martin.

Outcomes