Troubleshooting
Problem
The WinCollect Agent and Log Source are configured using default values and an error Code 0x06D9 is displayed in the Windows device logs.
Symptom
Look in windows device logs for a similar error message.
017-04-28 13:09:27,255 ERROR Device.WindowsLog.W2K8.192.168.1.23.System : Error executing <QueryList><Query Id="4" Path="Security"><Select Path="System">* and *[System[TimeCreated[@SystemTime > '2017-04-28T16:09:24.676000595Z']]]</Select></Query></QueryList> -- Error code 0x06D9: There are no more endpoints available from the endpoint mapper.
2017-04-28 13:09:27,515 ERROR Device.WindowsLog.W2K8.192.168.1.23.Security : Error executing <QueryList><Query Id="4" Path="Security"><Select Path="Security">* and *[System[TimeCreated[@SystemTime > '2017-04-28T16:09:24.676000595Z']]]</Select></Query></QueryList> -- Error code 0x06D9: There are no more endpoints available from the endpoint mapper.
2017-04-28 13:09:27,822 ERROR Device.WindowsLog.W2K8.192.168.1.23.Application : Error executing <QueryList><Query Id="4" Path="Security"><Select Path="Application">* and *[System[TimeCreated[@SystemTime > '2017-04-28T16:09:24.674999237Z']]]</Select></Query></QueryList> -- Error code 0x06D9: There are no more endpoints available from the endpoint mapper.
Cause
When WinCollect is used with a Windows XP or Windows 2003 server, you need to use the older Event Log Poll Protocol.
Resolving The Problem
To resolve this issue
- Log in to the QRadar Console.
- Click the Admin tab > Log Sources.
- Locate the WinCollect log source that is displaying the error.
- Change the Event Log Poll Protocol from MSEVEN6 to MSEVEN.
Results: You should now be able to log events without the 0x06D9 error.
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg22010867