IBM Support

WinCollect: Error code 0x06B5: The interface is unknown

Troubleshooting


Problem

What to do when a WinCollect Agent in a deployment stopped sending events and is reporting the following error in the device log of the stopped agent: "Error code 0x06B5: The interface is unknown."

Symptom


This article describes how to troubleshoot WinCollect Error code 0x06B5: The interface is unknown.

If your agent runs into this error, the device log can display the following error message in C:\Program Files\IBM\WinCollect\logs\WinCollect_Device.(timestamp).log:

ERROR Device.WindowsLog.EventLogMonitor : Failed to open event log IP address [\\IP address:Security]; will try again in approx 60 seconds. Reason: Error code 0x06B5: The interface is unknown. 

Cause

When an interface is unknown, errors occur. The most common cause is that the Microsoft Event Log service is not starting, is not running, or is not in a stable state.

Resolving The Problem

A common resolution for this issue is to restart the Windows Event Logs service, then restart the WinCollect service.

To restart both the Event Log and WinCollect service:

  1. Log in to the Windows host that stopped reporting events
  2. Click Start > Run.
  3. Type services.msc, then click OK.
  4. Locate the Event Log service and ensure that the status is Started. If the service is already started, the administrator should restart the service to ensure that the operating system's event log service is working as intended.
  5. Locate the WinCollect service.
  6. Right-click and select restart.
  7. After the Event Log service restarts, exit the Services snap-in.

    Results
    After the services are restarted, verify that the agent is sending events. If you continue to have issues, verify the LEEF messages coming from the agent or review the WinCollect.Device log for more information as to the root cause of the issue.

    Alternate resolution
    Error code 0x065b is also known as Windows error 1717. If the Event Log service is
    missing go to the following registry key and compare it to a system that is working correctly.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog.

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"WinCollect","Platform":[{"code":"PF033","label":"Windows"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
10 May 2019

UID

swg21993362

Page Feedback