The content you are looking for has been archived. View related content below.
Error messages similar to the following are displayed:
"2014-04-10T08:42:43","INFO","WindowsCollection","","windows, windows started."
"2014-04-10T08:42:43","INFO","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Starting work"
"2014-04-10T08:42:43","INFO","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Enumerating SID information"
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] Error enumerating for account SIDs. Response code = 401/Unknown"
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] [processing] [alias.hostname_domain_com] Error enumerating for SID information: 401/Unauthorized."
"2014-04-10T08:42:43","ERROR","WindowsCollection","","[alias.hostname_domain_com] Error subscribing. Response code = 401/Unknown"
An error message similar to the following is displayed:
2014-Mar-06 13:20:22 [WindowsCollection] [LAB.xx_xx_xx_xx] [processing] [LAB.xx_xx_xx_xx] Unable to pull events from Windows event source xx.xx.xx.xx: Fault Code : s:Receiver Subcode : n:InvalidEnumerationContext Reason : The WS-Enumeration context in the enumeration is not valid. Enumeration may have been completed or cancelled. You cannot use this enumeration context anymore. Start a new enumeration...
This issue is caused by incorrect Event Source credentials.
Once a subscription has been created, the Windows event source returns an "Enumeration Context" in each pull request. It must be returned to the event source in the next pull request.
If that is invalid, the above error may be generated and collection cannot be continued within the current subscription. This can happen if the Windows event source has been rebooted or the WinRM service restarted. The Windows collection, however, automatically handles this error. It cancels an existing subscription, if any, and re-subscribes from the last saved bookmarks. Sometimes, this error is triggered by the Windows collection itself. For example, if Windows collection is stopped while processing pulled events, it is forced to cancel the existing subscription so it can resume collection correctly. It forces a re-subscription by clearing the saved enumeration context. If the system doesn't handle the re-subscription automatically, you may follow the steps below to force a re-subscription:
In order to resolve the issue, follow the steps below.
e.g.
BEFORE:
<subscription_id>7F75E08D-6045-4D82-8135-FCD4F59DED96</subscription_id>
<enum_context>uuid:602492F1-AEB6-4FEE-B0E5-7388B5DDF5B2</enum_context>
AFTER:
<subscription_id></subscription_id>
<enum_context></enum_context>