Error message The array bounds are invalid reported for Windows 2008 R2 and Windows 2012 R2 with WinRM in RSA Security Analytics

Issue

Windows Collection completely stops when the error similar to the example below. is reported in the /var/log/messages file.

 [WindowsCollection] [failure] [WINR2.X_X_X_X] [processing] [WorkUnit] [processing] Unable to pull events from Windows event source X.X.X.X: 
 
Fault Code : s:Receiver Subcode : w:InternalError Reason : The array bounds are invalid.  Fault Detail : Windows Event Forward Plugin failed 
 
to read events.
 
Oct  5 13:57:52 RSALD NwLogCollector[3241]: [WindowsCollection] [warning] [WINR2.X_X_X_X] [processing] [WorkUnit] [processing] Unable to 
 
cancel existing subscription for Windows event source: Fault Code : s:Receiver Subcode : w:InternalError Reason : Element not found.  
 
Fault Detail : The WS-Management service could not identify the subscription context ID in the SOAP packet that was received. 
 
The packet may have been invalid, or the operation may have timed out.

Cause

This is solely a Windows-related issue. Microsoft is aware of this and RSA Engineering is in contact with Microsoft to resolve the issue. According to Microsoft, RPC is having an issue with chunks of windows events over 2MB.

Workaround

Filtering out the following EventIDs in the Channel field may stop the issue occurring:

 System^(101|201), Security^(4672|4776|4768|4769|5447), Application^(211|300), ForwardedEvents^(101|201|4672|4776|4768|4769|5447|211|300)

Notes

Product Details

RSA Product Set: NetWitness Logs & Network, Security Analytics
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.5 and above

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue