This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Windows Event Forward Plugin failed to read events

DeepanshuSood1
Beginner
Beginner

‎2016-03-03 05:49 AM

Hi I had integrated one MS Windows Server 2008 machine via winrm method.

Now what the issue I had noticed with this machine is that it's giving an error and the loging of this machine gets stopped after some certain minutes.

 

The error I had seen on the Log Collector is:

[WINTRDABFVBC.172_20_29_29] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source 172.20.1.3: Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid.  Fault Detail : Windows Event Forward Plugin failed to read events.

 

Then I found one solution to fix this. Below is the solution which I applied. The solution helped me and then the logs started coming from the same machine.

But after 1 week the problem re-exists and again I'm getting the same error message for the MS Windows machine.

 

Step 1

To check the current limit , Log on to the machine configured with WinRM  and get the cmd line result of :  wevtutil gl Security

Here we are looking for the "maxSize"

Step 2

In the Group Policy Management Editor, expand Computer Configuration > Policies >

Administrative Templates > Windows Component.

Edit Maximum log Size :  Enabled , and increase the size to 40480 , Apply

Step 3

On the powershell of the machine, Apply a GPO force update

gpupdate /force

 

Step 4

Repeat step 1  to see if this took effect

Try and  readd the Collection and Monitor to see if this workaround works.

 

Does any know how to resolve this and permanently fix this issue.

 

Many thanks.

 

Regards,

Deepanshu Sood.

4 REPLIES 4

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-11-09 04:11 PM

I've run into the same issue and have not found a solution.  I am commenting here to track any responses. 

EmmanueleLaPort
Beginner
Beginner

‎2016-11-14 11:42 AM

Hello Naushad,

the issue appear to be a "well known issue" even from microsoft side.

You can find the work around on this KB: 000034215
Regards Emmanuele

0 Likes

JoeGumke
Beginner
Beginner
In response to EmmanueleLaPort

‎2016-12-15 11:44 AM

Hi Emmanuele, Would you happen to have a link ? I cannot find this KB in microsoft at all.

0 Likes

VincentWareham
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JoeGumke

‎2020-08-23 07:47 PM

See this link to RSA KB, Error message "The array bounds are invalid" reported for Windows 2008 R2 and Windows 2012 R2 with WinRM in RSA Security Analytics

 

There is also the following Microsoft KB article that describes a released fix (Microsoft won't fix it for 2008 or base 2012, so customers would have to make sure the forwarding system is minimum Windows 2012 R2):
https://support.microsoft.com/en-us/help/4075212/windows-81-update-kb4075212

The above Microsoft link mentions the below is fixed,

  •  Addresses issue in which servers are configured to push their security event logs to a central server for analysis through a subscription. WinRM event query returns error "0x6c6 (RPC_S_INVALID_BOUND)" from the target server.
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.