Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Summary
This occurs to WinC connector install on Windows Server 2022. Some of application event logs on remote server host cannot be collected while other logs still be collected by connector.
Products
ArcSight Standard Connectors
Environment
Winc 8.4
Windows Server 2022
Situation
WinC which is installed on Windows Server 2022 cannot read some of Application events (such as MS SQL Server audit events) from remote server, while other application event can be collected successfully.
No error message from agent.log or agent.wrapper.log, however, we can find the error message from wincagent.log:
2023-03-16 14:06:33,627 [22] ERROR EventProcessor - Parsing error for Event: System.InvalidOperationException: We do not have 18 variants given for the UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues flag. (System Properties) at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtRenderBufferWithContextSystem(EventLogHandle contextHandle, EventLogHandle eventHandle, EvtRenderFlags flag, SystemProperties systemProperties, Int32 SYSTEM_PROPERTY_COUNT) at System.Diagnostics.Eventing.Reader.EventLogRecord.PrepareSystemData() at System.Diagnostics.Eventing.Reader.EventLogRecord.get_LogName() at ArcSight.WinCAgent.WindowsEventLog.EventProcessor.RenderEventJSONSystemFromXML(XElement xmlEvent, StringBuilder builder, EventRecord eventInstance, String locale) in e:\depot\candidate\connector\GA\main\src\Agent\WinC\WindowsEventLog\EventProcessor.cs:line 327 at ArcSight.WinCAgent.WindowsEventLog.EventProcessor.RenderEventFlatJSONFromXML(StringBuilder eventBuild, String xml, EventRecord eventInstance, String locale) in e:\depot\candidate\connector\GA\main\src\Agent\WinC\WindowsEventLog\EventProcessor.cs:line 212 2023-03-16 14:06:33,748 [22] ERROR EventProcessor - Bad event content:<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQL$TRENDMICRO'/><EventID Qualifiers='16384'>33205</EventID><Level>0</Level><Task>5</Task><Keywords>0xa0000000000000</Keywords><TimeCreated SystemTime='2023-02-09T15:45:05.0613209Z'/><EventRecordID>1295879</EventRecordID><Channel>Application</Channel><Computer>ifidc-sql.ificonsulting.priv</Computer><Security/></System><EventData><Data>audit_schema_version:1 event_time:2023-02-09 15:45:02.2587146 sequence_number:1 action_id:AUSC succeeded:true is_column_permission:false ... </Data></EventData></Event>
Resolution
This issue related to MS Windows 2022 .NET framework and Security patch.
Apply the below Windows 2022 patches help to fix the issue.
February 14, 2023-KB5022735 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows Server 2022 - Microsoft Support
March 14, 2023—KB5023705 (OS Build 20348.1607) - Microsoft Support
URL Name
KM000016451