Converting data batch to XML failed with error "0x80131500"

%3CLINGO-SUB%20id%3D%22lingo-sub-2119447%22%20slang%3D%22en-US%22%3EConverting%20data%20batch%20to%20XML%20failed%20with%20error%20%220x80131500%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2119447%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20recently%20onboarded%20some%20devices%20into%20Azure%20Sentinel%20via%20the%20DNS%20Connector%2C%20which%20uses%20the%20Monitor%20Agent%20(I%20think).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20most%20part%2C%20this%20has%20worked%2C%20but%20the%20DNS%20lookup%20events%20frequently%20stop%20getting%20forwarded%20to%20the%20log%20workspace.%20Other%20events%20do%20continue%20to%20forward.%20In%20the%26nbsp%3B%3C%2FP%3E%3CP%3E'Operations%20Manager'%20event%20logs%20on%20one%20of%20my%20servers%2C%20I%20see%20events%204512%20and%201103%20that%20have%20contents%20like%3A%3CBR%20%2F%3E%3CSTRONG%3E4512%3C%2FSTRONG%3E%3A%20Converting%20data%20batch%20to%20XML%20failed%20with%20error%20%220x80131500%22%20(0x80131500)%20in%20rule%20%22Microsoft.SystemCenter.CollectDnsEtwEvents%22%20running%20for%20instance%20%22%22%20with%20id%3A%22%7B%3CGUID%3E%7D%22%20in%20management%20group%20%22AOI-%3CGUID%3E%22.%3C%2FGUID%3E%3C%2FGUID%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E1103%3C%2FSTRONG%3E%3A%26nbsp%3BSummary%3A%201%20rule(s)%2Fmonitor(s)%20failed%20and%20got%20unloaded%2C%200%20of%20them%20reached%20the%20failure%20limit%20that%20prevents%20automatic%20reload.%20Management%20group%20%22AOI-%3CGUID%3E%22.%20This%20is%20summary%20only%20event%2C%20please%20see%20other%20events%20with%20descriptions%20of%20unloaded%20rule(s)%2Fmonitor(s).%3C%2FGUID%3E%3C%2FP%3E%3CP%3EAfter%20a%20few%20of%20these%201103%20events%2C%20the%20message%20changes%20to%20%221%20of%20them%20reached%20the%20failure%20limit...%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESomething%20eventually%20reloads%20rules%20and%20the%20log%20collection%20begins%20again%20for%20a%20while%20before%20failing.%20I%20can%20also%20restart%20collection%20by%20using%20the%20DNS%20Collector%20configuration%20panel%20to%20re-send%20the%20collection%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20do%20I%20troubleshoot%20what%20dns%20events%20are%20failing%20to%20convert%20to%20XML%20and%20either%20fix%20the%20conversion%2C%20remediate%20the%20clients%2C%20or%20adjust%20the%20rules%20so%20that%20they%20don't%20try%20to%20capture%20these%20events%3F%20Does%20the%20management%20agent%20have%20verbose%20or%20detailed%20logging%20anywhere%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I've recently onboarded some devices into Azure Sentinel via the DNS Connector, which uses the Monitor Agent (I think).

 

For the most part, this has worked, but the DNS lookup events frequently stop getting forwarded to the log workspace. Other events do continue to forward. In the 

'Operations Manager' event logs on one of my servers, I see events 4512 and 1103 that have contents like:
4512: Converting data batch to XML failed with error "0x80131500" (0x80131500) in rule "Microsoft.SystemCenter.CollectDnsEtwEvents" running for instance "" with id:"{<guid>}" in management group "AOI-<guid>".

1103: Summary: 1 rule(s)/monitor(s) failed and got unloaded, 0 of them reached the failure limit that prevents automatic reload. Management group "AOI-<guid>". This is summary only event, please see other events with descriptions of unloaded rule(s)/monitor(s).

After a few of these 1103 events, the message changes to "1 of them reached the failure limit..."

 

Something eventually reloads rules and the log collection begins again for a while before failing. I can also restart collection by using the DNS Collector configuration panel to re-send the collection rules.

 

How do I troubleshoot what dns events are failing to convert to XML and either fix the conversion, remediate the clients, or adjust the rules so that they don't try to capture these events? Does the management agent have verbose or detailed logging anywhere?

 

0 Replies