ossec.log - Could not read XML string

50 views
Skip to first unread message

Andrehens Chicfici

unread,
Sep 24, 2025, 8:55:16 AM (5 days ago) Sep 24
to Wazuh | Mailing List
Hey,
after upgrading to 4.13.0 I get multiple errors in my ossec.log:

2025/09/24 12:17:40 wazuh-analysisd: WARNING: Could not read XML string: '"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>4103</EventID><Version>1</Version><Level>4</Level><Task>106</Task><Opcode>20</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2025-09-24T10:17:25.0207599Z'/><EventRecordID>107800</EventRecordID><Correlation ActivityID='{f848ca2b-2432-0000-9335-5ff83224dc06}'/><Execution ProcessID='3752' ThreadID='2252'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>TEST.DOMAIN.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='ContextInfo'>        Schweregrad: Informational          Hostname: ConsoleHost          Hostversion: 5.1.20348.4163          Host-ID: 4921808b-ccfd-4031-9a15-5b7e475bb080          Hostanwendung = powershell $null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()          Modulversion: 5.1.20348.4163          Runspace-ID: beb513e3-9e81-4cc8-9c53-acc96780c2d4          Pipeline-ID: 1          Befehlsname: Get-Content          Befehlstyp: Cmdlet          Skriptname:           Befehlspfad:           Sequenznummer: 36          Benutzer: DOMAIN\\SYSTEM          Verbundener Benutzer =           Shell-ID: Microsoft.PowerShell  </Data><Data Name='UserData'></Data><Data Name='Payload'>CommandInvocation(Get-Content): \"Get-Content\"  ParameterBinding(Get-Content): Name=\"Path\"; Wert=\"C:\\Windows\\TEMP/secexport.cfg\"  CommandInvocation(Select-String): \"Select-String\"  ParameterBinding(Select-String): Name=\"Pattern\"; Wert=\"LSAAnonymousNameLookup\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[Unicode]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"Unicode=yes\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[System Access]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MinimumPasswordAge = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MaximumPasswordAge = -1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MinimumPasswordLength = 12\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"PasswordComplexity = 1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"PasswordHistorySize = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"LockoutBadCount = 5\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"ResetLockoutCount = 30\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"LockoutDuration = 30\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"Allowuser3Lockout = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"RequireLogonToChangePassword = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"ForceLogoffWhenHourExpire = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"Newuser3Name = \"user3\"\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"NewGuestName = \"Gast\"\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"ClearTextPassword = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"LSAAnonymousNameLookup = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"EnablemadinAccount = 1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"EnableGuestAccount = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[Event Audit]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditSystemEvents = 3\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditLogonEvents = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditObjectAccess = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditPrivilegeUse = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditPolicyChange = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditAccountManage = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditProcessTracking = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditDSAccess = 0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"AuditAccountLogon = 3\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[Kerberos Policy]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MaxTicketAge = 10\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MaxRenewAge = 7\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MaxServiceAge = 600\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MaxClockSkew = 5\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"TicketValidateClient = 1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[Version]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"signature=\"$CHICAGO$\"\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"Revision=1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[Registry Values]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Setup\\RecoveryConsole\\SecurityLevel=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Setup\\RecoveryConsole\\SetCommand=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\CachedLogonsCount=1,\"10\"\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ForceUnlockLogon=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\PasswordExpiryWarning=4,14\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ScRemoveOption=1,\"0\"\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviormadin=4,5\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorUser=4,3\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCAD=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DontDisplayLastUserName=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableInstallerDetection=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableSecureUIAPaths=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableUIADesktopToggle=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableVirtualization=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\SupportedEncryptionTypes=4,2147483640\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeCaption=1,\"\"\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LegalNoticeText=7,\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ScForceOption=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ShutdownWithoutLogon=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\UndockWithoutLogon=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ValidatemadinCodeSignatures=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\Software\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\AuthenticodeEnabled=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\AuditBaseObjects=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\CrashOnAuditFail=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\DisableDomainCreds=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\EveryoneIncludesAnonymous=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FIPSAlgorithmPolicy\\Enabled=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\ForceGuest=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FullPrivilegeAuditing=3,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\LimitBlankPasswordUse=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel=4,5\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\NTLMMinClientSec=4,536870912\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\NTLMMinServerSec=4,536870912\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\NoLMHash=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\RestrictAnonymous=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\RestrictAnonymousSAM=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Print\\Providers\\LanMan Print Services\\Servers\\AddPrinterDrivers=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPaths\\Machine=7,System\\CurrentControlSet\\Control\\ProductOptions,System\\CurrentControlSet\\Control\\Server Applications,Software\\Microsoft\\Windows NT\\CurrentVersion\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedPaths\\Machine=7,System\\CurrentControlSet\\Control\\Print\\Printers,System\\CurrentControlSet\\Services\\Eventlog,Software\\Microsoft\\OLAP Server,Software\\Microsoft\\Windows NT\\CurrentVersion\\Print,Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows,System\\CurrentControlSet\\Control\\ContentIndex,System\\CurrentControlSet\\Control\\Terminal Server,System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig,System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration,Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib,System\\CurrentControlSet\\Services\\SysmonLog\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Kernel\\ObCaseInsensitive=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Memory Management\\ClearPageFileAtShutdown=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ProtectionMode=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\SubSystems\\optional=7,\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\AutoDisconnect=4,15\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\EnableForcedLogOff=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\EnableSecuritySignature=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\NullSessionPipes=7,,netlogon,samr,lsarpc\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\RequireSecuritySignature=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters\\RestrictNullSessAccess=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\EnablePlainTextPassword=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\EnableSecuritySignature=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters\\RequireSecuritySignature=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\LDAP\\LDAPClientIntegrity=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\DisablePasswordChange=4,0\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\MaximumPasswordAge=4,30\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\RequireSignOrSeal=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\RequireStrongKey=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\SealSecureChannel=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\SignSecureChannel=4,1\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\NTDS\\Parameters\\LdapEnforceChannelBinding=4,2\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"MACHINE\\System\\CurrentControlSet\\Services\\NTDS\\Parameters\\LDAPServerIntegrity=4,2\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"[Privilege Rights]\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeNetworkLogonRight = *S-1-1-0,*S-1-5-11,*S-1-5-32-544,*S-1-5-32-554,*S-1-5-9\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeTcbPrivilege = Dienstkonto,user3,*S-1-5-32-551\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeMachineAccountPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-554,*S-1-5-80-2173458721-2904625615-909896099-498039032-819963561,*S-1-5-80-2174550488-1157150547-772031248-2035391809-3501832127,*S-1-5-80-2536748308-1693523937-2041512610-3621275297-3758672322,*S-1-5-80-2915334516-3307844703-856016376-2477292901-2843893207,*S-1-5-80-3509098935-2998892308-2296305970-2914631823-1714180652,*S-1-5-80-3639268497-1959974333-2912738318-2005284346-2745570534,*S-1-5-80-387343838-323274701-329348288-455201286-2413739011\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeCreatePagefilePrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeCreateTokenPrivilege = user3\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeDebugPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeRemoteShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeAuditPrivilege = *S-1-5-19,*S-1-5-20\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,ABCServer2000User$AD-SERVER$MICROSOFT##SSEE,user3,*S-1-5-32-544,*S-1-5-80-2173458721-2904625615-909896099-498039032-819963561,*S-1-5-80-2174550488-1157150547-772031248-2035391809-3501832127,*S-1-5-80-2536748308-1693523937-2041512610-3621275297-3758672322,*S-1-5-80-2915334516-3307844703-856016376-2477292901-2843893207,*S-1-5-80-3509098935-2998892308-2296305970-2914631823-1714180652,*S-1-5-80-3639268497-1959974333-2912738318-2005284346-2745570534,*S-1-5-80-387343838-323274701-329348288-455201286-2413739011\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeIncreaseBasePriorityPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeLoadDriverPrivilege = *S-1-5-32-544,*S-1-5-32-550\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeBatchLogonRight = *S-1-5-19,*S-1-5-21-1151942557-634218271-1537874043-1037,*S-1-5-21-1151942557-634218271-1537874043-1046,*S-1-5-21-1151942557-634218271-1537874043-1060,IIS_WPG,user3,*S-1-5-32-551,*S-1-5-32-568\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeServiceLogonRight = *S-1-5-18,*S-1-5-19,*S-1-5-20,user1.mad,user1.mad,Dienstkonto,user2.mad,user3,user2.mad,VORDEFINIERT,*S-1-5-32-551,*S-1-5-80-2173458721-2904625615-909896099-498039032-819963561,*S-1-5-80-2174550488-1157150547-772031248-2035391809-3501832127,*S-1-5-80-2536748308-1693523937-2041512610-3621275297-3758672322,*S-1-5-80-2915334516-3307844703-856016376-2477292901-2843893207,*S-1-5-80-3509098935-2998892308-2296305970-2914631823-1714180652,*S-1-5-80-3639268497-1959974333-2912738318-2005284346-2745570534,*S-1-5-80-387343838-323274701-329348288-455201286-2413739011\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-548,*S-1-5-32-549,*S-1-5-32-550,*S-1-5-32-551\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeSecurityPrivilege = Exchange Enterprise Servers,Exchange Servers,*S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeSystemEnvironmentPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeProfileSingleProcessPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeSystemProfilePrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20,user3,*S-1-5-80-2173458721-2904625615-909896099-498039032-819963561,*S-1-5-80-2174550488-1157150547-772031248-2035391809-3501832127,*S-1-5-80-2536748308-1693523937-2041512610-3621275297-3758672322,*S-1-5-80-2915334516-3307844703-856016376-2477292901-2843893207,*S-1-5-80-3509098935-2998892308-2296305970-2914631823-1714180652,*S-1-5-80-3639268497-1959974333-2912738318-2005284346-2745570534,*S-1-5-80-387343838-323274701-329348288-455201286-2413739011\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeRestorePrivilege = Dienstkonto,*S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-551\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-549,*S-1-5-32-550,*S-1-5-32-551\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeTakeOwnershipPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeUndockPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeEnableDelegationPrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeManageVolumePrivilege = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeRemoteInteractiveLogonRight = *S-1-5-32-544\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeIncreaseWorkingSetPrivilege = *S-1-5-32-545\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeTimeZonePrivilege = *S-3-5-19,*S-1-5-32-544,*S-1-5-32-549\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeCreateSymbolicLinkPrivilege = *S-1-3-32-543\"  ParameterBinding(Select-String): Name=\"InputObject\"; Wert=\"SeDelegateSessionUserImpersonatePrivilege = *S-1-5-32-544\"  </Data></EventData></Event>"'

Is someone else seeing this?

cheers 
chic

Nicolás Edgardo Rocca

unread,
Sep 24, 2025, 10:16:06 AM (5 days ago) Sep 24
to Wazuh | Mailing List
Hi,
What you're seeing in your ossec.log file is not an error, but a warning related to XML events decoding and parsing.
I'm investigating this warning to determine exactly why the XML event could not be parsed, although It might be related to the event size.
I'll come back to you as soon as I can.

Nicolás Edgardo Rocca

unread,
Sep 28, 2025, 4:37:48 AM (20 hours ago) Sep 28
to Wazuh | Mailing List
So after investigating about this warning, It's indeed caused by the event size. The maximum size for XML events is 20KB (which would reflect in 20480 characters), while the event produced by your Windows agents is 22159 characters long, resulting in ~21,6 KB.
This being said, this limitation will be removed in Wazuh's next major release.
Reply all
Reply to author
Forward
0 new messages