.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness Log Collector is unable to collect some security events from Windows Server 2008 R2
Issue
Some security events are not being collected from a Windows Server 2008 R2 or Windows Server 2012 R2 host due to parsing issues caused by a malformed event XML.When the issue occurs, the /var/log/messages file reports a failure similar to the example below.
Sep 11 11:00:32 localhost nw[1442]: [WindowsCollection] [failure] [Win2k8R2] Error retrieving SOAP message due to malformed event XML from the server.
Cause
This issue occurs due to a known Microsoft issue in which the Audit event ID 4661 triggers an XML error in a Windows Server 2012 R2 or Windows Server 2008 environment.This issue is caused because Security Audit 4661 contains an invalid value in the Privileges field. This corrupts the transaction, resulting in the error and preventing the Log Collector from properly consuming the events.
Resolution
The issue can be rectified by applying the appropriate hotfix found in the Microsoft Knowledgebase Article 2956014.Product Details
NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Log Collector
Platform: Windows Server (WinRM)
O/S Version: Windows Server 2008 R2, Windows Server 2012 R2
Summary
Some security events are not being collected from a Windows Server 2008 R2 host, and this may be due to a parsing problem caused by a malformed event XML.
Approval Reviewer Queue
Technical approval queue