Understanding Windows Event Collector 4.3 error messages and their resolutions
Last Updated July 20, 2011
Windows Event Collector 4.3 stops collecting from remote machines. The list below will help to understand and change the behavior of the collector sensor when it gets an error from underlying Windows API.
Based on error code sensor gets from underlying Windows API, it splits the errors into three categories: Recoverable, Unrecoverable and Recoverable with a limit. The default list of error codes with explanations is listed below.
Unrecoverable. Sensor stops when receive it:
KEY_NOT_FOUND_IN_THE_REGISTRY_ERROR_CODE, WinDLL code  (Specified log does not exist)
ACCESS_DENIED_ERROR_CODE, WinDLL code , it includes "can not access registry on target box. Make sure user XXX has permissions to access registry on HOST"; "can not access requested log file. Make sure user XXX has permissions to read LogYYYY on HOSTZZZ"; "failed to open device due to invalid credentials. Details:..."
Not recoverable because these credential errors are unlikely to be resolved on the fly. LOGON_FAILURE, DLL code  "failed to login into target box. Make sure sensor configuration has correct credentials and user USERXXX has permissions to access HOSTNAME."
Recoverable with a limit. Limit is a maximum errors count during open connection operation. Sensor will try to reopen after pauseBetweenErrors Limit defined in property "connectionErrorsLimit"(see above.) This property limits the number of connection attempts like. Such errors are:
LOGON_FAILURE, DLL code  "failed to login into target box. Make sure sensor configuration has correct credentials and user USERXXX has permissions to access HOSTNAME."
ACCESS_DENIED_ERROR_CODE, WinDLL code , contain "RegConnectRegistry": "System Reader failed to open device due to invalid credentials.
Details: ERROR_CODE. RegConnectRegistry failed with error: Access is denied." By default, the sensor has a limit of 1.
All other errors with ERROR_CODE are unrecoverable.
NETWORK_PATH_NOT_FOUND_ERROR_CODE, WinDLL code (related to WNetAddConnection2, RegConnectRegistry)
All other errors not described above in (1) and (2) are recoverable.
Though this is not recommended, it is possible to reconfigure how certain error codes are treated by the sensor and make some of them recoverable, for example. This should be done at your own risk and Symantec has no liability after this, as this may lead to unpredictable sensor behavior. One of the known consequence of reconfiguring how sensor treat error codes is account lockout when it is instructed to not give up after few login failed attempts as well as CPU and network usage increase.
On Windows (32bits) C:\Program Files\Symantec\Event Agent\collectors\windowseventlog
On Linux/Unix -> This collector doesn't run on non Windows platform.
This setting must be added between the <props> and </props> tags in the config.xml. Make sure you backup the file first before changing it.