2016-03-03 05:49 AM
Hi I had integrated one MS Windows Server 2008 machine via winrm method.
Now what the issue I had noticed with this machine is that it's giving an error and the loging of this machine gets stopped after some certain minutes.
The error I had seen on the Log Collector is:
[WINTRDABFVBC.172_20_29_29] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source 172.20.1.3: Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid. Fault Detail : Windows Event Forward Plugin failed to read events.
Then I found one solution to fix this. Below is the solution which I applied. The solution helped me and then the logs started coming from the same machine.
But after 1 week the problem re-exists and again I'm getting the same error message for the MS Windows machine.
Step 1
To check the current limit , Log on to the machine configured with WinRM and get the cmd line result of : wevtutil gl Security
Here we are looking for the "maxSize"
Step 2
In the Group Policy Management Editor, expand Computer Configuration > Policies >
Administrative Templates > Windows Component.
Edit Maximum log Size : Enabled , and increase the size to 40480 , Apply
Step 3
On the powershell of the machine, Apply a GPO force update
gpupdate /force
Step 4
Repeat step 1 to see if this took effect
Try and readd the Collection and Monitor to see if this workaround works.
Does any know how to resolve this and permanently fix this issue.
Many thanks.
Regards,
Deepanshu Sood.
2016-11-09 04:11 PM
I've run into the same issue and have not found a solution. I am commenting here to track any responses.
2016-11-14 11:42 AM
Hello Naushad,
the issue appear to be a "well known issue" even from microsoft side.
You can find the work around on this KB: 000034215
Regards Emmanuele
2016-12-15 11:44 AM
Hi Emmanuele, Would you happen to have a link ? I cannot find this KB in microsoft at all.
2020-08-23 07:47 PM
See this link to RSA KB, Error message "The array bounds are invalid" reported for Windows 2008 R2 and Windows 2012 R2 with WinRM in RSA Security Analytics
There is also the following Microsoft KB article that describes a released fix (Microsoft won't fix it for 2008 or base 2012, so customers would have to make sure the forwarding system is minimum Windows 2012 R2):
https://support.microsoft.com/en-us/help/4075212/windows-81-update-kb4075212
The above Microsoft link mentions the below is fixed,