This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

WinRM - Invalid XML

RSAAdmin
Beginner
Beginner

‎2015-01-15 05:04 PM

I'm getting the following error and only to one windows host.  This is one of three identical systems that "should" be identical.

Jan 14 20:12:06 server-salogvlc1 nw[1731]: [WindowsCollection] [failure] [serverctx3] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source serverctx3: Fault Code : s:Sender Subcode : w:InternalError Reason : The WS-Management service cannot process the request because the XML is invalid.  Fault Detail : http://schemas.dmtf.org/wbem/wsman/1/wsman/faultDetail/InvalidWindows Event Forward Plugin failed to read events.

Jan 14 20:12:06 server-salogvlc1 nw[1731]: [WindowsCollection] [warning] [serverctx3] [processing] [WorkUnit] [processing] Unable to cancel existing subscription for Windows event source: Fault Code : s:Receiver Subcode : w:InternalError Reason : Element not found.  Fault Detail : The WS-Management service could not identify the subscription context ID in the SOAP packet that was received. The packet may have been invalid, or the operation may have timed out.

Jan 14 20:12:06 server-salogvlc1 nw[1731]: [WindowsCollection] [info] [serverctx3] [processing] [WorkUnit] [processing] Finished work

Jan 14 20:12:06 server-salogvlc1 nw[1731]: [WindowsCollection] [failure] [serverctx3] [processing] [WorkUnit] [processing failure] windows:WrkUnit[1] Processing failed.

Jan 14 20:12:07 server-salogvlc1 nw[1731]: [WindowsCollection] [info] Testing Windows Connection for serverctx3


If I remove the Event Source and re-add it, it starts working for a few tries, then fails.


Any ideas?

0 Likes
3 REPLIES 3

RSAAdmin
Beginner
Beginner

‎2015-01-19 12:17 PM

Here is the answer tech support gave me to address the issue.


Based on the error messages, it appears that you are likely experiencing a known Microsoft issue that is documented in the knowledgebase article 29090 (https://rsaportal.force.com/customer/articles/RSA_Technical_Advisory/RSA-Security-Analytics-Log-Collector-is-unable-to-collect-some-security-events-from-Windows-Server-2008-R2). A hotfix for the issue is available in the  Microsoft Knowledgebase Article 2956014 (http://support.microsoft.com/kb/2956014).

 

A workaround for the issue is to exclude the Security Audit 4661 channel in the event source configuration. This is done by entering Security^(4661) in the Channel field.  More information on the Windows Event Source Configuration can be found in the Security Analytics User Guide at the following link:  https://sadocs.emc.com/0_en-us/090_10.4_User_Guide/135_LogCollectGds/93_WinProto/20_WinRef/00_WinESParam

0 Likes

huanzhou1
Beginner
Beginner

‎2015-01-20 04:13 AM

when you said it worked for a few tries, do you mean it actually got some logs from the event source?

0 Likes

RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2015-01-20 08:04 AM

Yes, without the above fix, it pulled logs about 3 times, then failed with the above error.

This can be reproduced by deleting the event source from Security Analytics, then re-adding it.

Only a temp fix for a few rounds of logs.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.