Windows Event Collector 4.3 stops collecting from remote machines. The list below will help to understand and change the behavior of the collector sensor when it gets an error from underlying Windows API.
Based on error code sensor gets from underlying Windows API, it splits the errors into three categories: Recoverable, Unrecoverable and Recoverable with a limit. The default list of error codes with explanations is listed below.
Though this is not recommended, it is possible to reconfigure how certain error codes are treated by the sensor and make some of them recoverable, for example. This should be done at your own risk and Symantec has no liability after this, as this may lead to unpredictable sensor behavior. One of the known consequence of reconfiguring how sensor treat error codes is account lockout when it is instructed to not give up after few login failed attempts as well as CPU and network usage increase.
On Windows (32bits) C:\Program Files\Symantec\Event Agent\collectors\windowseventlog
On Linux/Unix -> This collector doesn't run on non Windows platform.
This setting must be added between the <props> and </props> tags in the config.xml. Make sure you backup the file first before changing it.
Using setting above will force the collector to retry 3 times instead once when error code is 1326 and make it Recoverable.
Version required = Windows Event Sensor version 3.15.00