Knowledge Doc: [Standard Connectors] InvalidOperationException error with WinC agent

0 Likes

Summary
This occurs to WinC connector install on Windows Server 2022. Some of application event logs on remote server host cannot be collected while other logs still be collected by connector.

Products
ArcSight Standard Connectors

Environment
Winc 8.4
Windows Server 2022

Situation
WinC which is installed on Windows Server 2022 cannot read some of Application events (such as MS SQL Server audit events) from remote server, while other application event can be collected successfully.

No error message from agent.log or agent.wrapper.log, however, we can find the error message from wincagent.log:

2023-03-16 14:06:33,627   [22] ERROR  EventProcessor - Parsing error for Event: System.InvalidOperationException: We do not have 18 variants given for the  UnsafeNativeMethods.EvtRenderFlags.EvtRenderEventValues flag. (System Properties)
   at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtRenderBufferWithContextSystem(EventLogHandle contextHandle, EventLogHandle eventHandle, EvtRenderFlags flag, SystemProperties systemProperties, Int32 SYSTEM_PROPERTY_COUNT)
   at System.Diagnostics.Eventing.Reader.EventLogRecord.PrepareSystemData()
   at System.Diagnostics.Eventing.Reader.EventLogRecord.get_LogName()
   at ArcSight.WinCAgent.WindowsEventLog.EventProcessor.RenderEventJSONSystemFromXML(XElement xmlEvent, StringBuilder builder, EventRecord eventInstance, String locale) in e:\depot\candidate\connector\GA\main\src\Agent\WinC\WindowsEventLog\EventProcessor.cs:line 327
   at ArcSight.WinCAgent.WindowsEventLog.EventProcessor.RenderEventFlatJSONFromXML(StringBuilder eventBuild, String xml, EventRecord eventInstance, String locale) in e:\depot\candidate\connector\GA\main\src\Agent\WinC\WindowsEventLog\EventProcessor.cs:line 212

2023-03-16 14:06:33,748   [22] ERROR  EventProcessor -     Bad event content:<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='MSSQL$TRENDMICRO'/><EventID Qualifiers='16384'>33205</EventID><Level>0</Level><Task>5</Task><Keywords>0xa0000000000000</Keywords><TimeCreated SystemTime='2023-02-09T15:45:05.0613209Z'/><EventRecordID>1295879</EventRecordID><Channel>Application</Channel><Computer>ifidc-sql.ificonsulting.priv</Computer><Security/></System><EventData><Data>audit_schema_version:1
event_time:2023-02-09 15:45:02.2587146
sequence_number:1
action_id:AUSC
succeeded:true
is_column_permission:false
...
</Data></EventData></Event>


Resolution
This issue related to MS Windows 2022 .NET framework and Security patch.

Apply the below Windows 2022 patches help to fix the issue.

February 14, 2023-KB5022735 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows Server 2022 - Microsoft Support

March 14, 2023—KB5023705 (OS Build 20348.1607) - Microsoft Support


Knowledge Base Article Link


URL Name
KM000016451

Labels:

Knowledge Docs
Comment List
Related
Recommended