locked
Event Collector: Source initiated log source (Windows 2003 SP2) using HTTPS transport encounters ERROR_NOT_ENOUGH_MEMORY from WinHTTP RRS feed

  • Question

  • I have been unable to find any information about this issue online. I did find one other poster describing the issue but with no apparent resultion: http://social.technet.microsoft.com/Forums/en-AU/winservergen/thread/fde4954f-8774-4e82-8ef0-a70724a5e418

    I am seeking any comment. I realize that 2003 has hit EOL but hope that someone might still have some useful ideas :) At the same time I'll be sure to add any resolution to the thread for any future sufferer's benefit.

     

    Synopsis: Windows Server 2003 SP2 configured as a log source in a source initiated event subscription, using HTTPS transport, eventually fails with “Not enough space is available to process this command.” (WinHTTP call returns err ERROR_NOT_ENOUGH_MEMORY)

     

    Test Setup:

    Standard source initiated subscription configuration between a Windows 2003 Server SP2 Enterprise Edition x86 using HTTPS transport (certificate auth). Collector is a Windows 7 Ultimate x86.  Subscription is for all Security log contents. Sample logs generated by enabling all audit policies for Success & Failure and adding auditing for full control to c: drive for administrator. Normal Administrator interaction generates 50 or more events per second.

     

    Observed:

    Subscription is successfully established, some number of events are transferred (in the range of a few thousand), then error number 8 is returned by WinHTTP for some call, generating the following log entries.

     

    The forwarder is having a problem communicating with subscription manager at address HTTPS://collector:5986/wsman/SubscriptionManager/WEC.  Error code is 8 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="8" Machine="sourcemachine" xml:lang="en-US"><f:Message>The function: &quot;WinHttpOpenRequest&quot; failed unexpectedly. GetLastError=8. </f:Message></f:WSManFault>.

     

     

    The forwarder is having a problem communicating with subscription manager at address HTTPS://collector:5986/wsman/SubscriptionManager/WEC.  Error code is 995 and Error Message is <f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="995" Machine="sourcemachine" xml:lang="en-US"><f:Message>WS-Management cannot process the request. The operation failed because of an HTTP error. The HTTP error (8) is: Not enough storage is available to process this command. . </f:Message></f:WSManFault>.

     

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

     

    Depending on the specific call that returned the error different behaviour is then observed – event sending may continue for some time, subscription refresh may or may not continue (and return this error), etc.

     

    WinHTTP trace log mirrors this observation – requests that first return the error may be small; e.g. subscription refresh/enumeration request of only about 2kb.

     

    Observed that svchost for WinRM has a very large Working Set (1.7gb).

     

    Not Yet Tested

    We do not yet know if this occurs with 64 bit OS versions or with newer versions of Windows, or when using HTTP w/ Kerberos authentication instead. I suspect that SSL may be the culprit because Kerberos is much more commonly used for authentication and I don't see others complaining about this.

     

     

     



    Tuesday, June 28, 2011 6:07 PM