Hi I had integrated one MS Windows Server 2008 machine via winrm method.
Now what the issue I had noticed with this machine is that it's giving an error and the loging of this machine gets stopped after some certain minutes.
The error I had seen on the Log Collector is:
[WINTRDABFVBC.172_20_29_29] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source 172.20.1.3: Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid. Fault Detail : Windows Event Forward Plugin failed to read events.
Then I found one solution to fix this. Below is the solution which I applied. The solution helped me and then the logs started coming from the same machine.
But after 1 week the problem re-exists and again I'm getting the same error message for the MS Windows machine.
To check the current limit , Log on to the machine configured with WinRM and get the cmd line result of : wevtutil gl Security
Here we are looking for the "maxSize"
In the Group Policy Management Editor, expand Computer Configuration > Policies >
Administrative Templates > Windows Component.
Edit Maximum log Size : Enabled , and increase the size to 40480 , Apply
On the powershell of the machine, Apply a GPO force update
Repeat step 1 to see if this took effect
Try and readd the Collection and Monitor to see if this workaround works.
Does any know how to resolve this and permanently fix this issue.