Article Number
000029090
Applies To
RSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector
Platform: Windows Server (WinRM)
O/S Version: Windows Server 2008 R2, Windows Server 2012 R2
Issue
Some security events are not being collected from a Windows Server 2008 R2 or Windows Server 2012 R2 host due to parsing issues caused by a malformed event XML.
When the issue occurs, the /var/log/messages file reports a failure similar to the example below.
Sep 11 11:00:32 localhost nw[1442]: [WindowsCollection] [failure] [Win2k8R2] Error retrieving SOAP message due to malformed event XML from the server.
Cause
This issue occurs due to a known Microsoft issue in which the Audit event ID 4661 triggers an XML error in a Windows Server 2012 R2 or Windows Server 2008 environment.
This issue is caused because Security Audit 4661 contains an invalid value in the Privileges field. This corrupts the transaction, resulting in the error and preventing the Log Collector from properly consuming the events.
Resolution
The issue can be rectified by applying the appropriate hotfix found in the
Microsoft Knowledgebase Article 2956014.