Hi I had integrated one MS Windows Server 2008 machine via winrm method.
Now what the issue I had noticed with this machine is that it's giving an error and the loging of this machine gets stopped after some certain minutes.
The error I had seen on the Log Collector is:
[WINTRDABFVBC.172_20_29_29] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source 172.20.1.3: Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid. Fault Detail : Windows Event Forward Plugin failed to read events.
Then I found one solution to fix this. Below is the solution which I applied. The solution helped me and then the logs started coming from the same machine.
But after 1 week the problem re-exists and again I'm getting the same error message for the MS Windows machine.
Step 1
To check the current limit , Log on to the machine configured with WinRM and get the cmd line result of : wevtutil gl Security
Here we are looking for the "maxSize"
Step 2
In the Group Policy Management Editor, expand Computer Configuration > Policies >
Administrative Templates > Windows Component.
Edit Maximum log Size : Enabled , and increase the size to 40480 , Apply
Step 3
On the powershell of the machine, Apply a GPO force update
gpupdate /force
Step 4
Repeat step 1 to see if this took effect
Try and readd the Collection and Monitor to see if this workaround works.
Does any know how to resolve this and permanently fix this issue.
Many thanks.
Regards,
Deepanshu Sood.
I've run into the same issue and have not found a solution. I am commenting here to track any responses.