Classification

Rule Name

Rule Type

Common Event

Classification

EVID 3 : System Service Model ExceptionBase RuleException ErrorError

Sample Logs

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='System.ServiceModel 5.5.5.5'/><EventID Qualifiers='49154'>3</EventID><Level>Error</Level><Task>WebHost</Task><Keywords>Classic</Keywords><TimeCreated SystemTime='2016-10-25T22:15:07.000000000Z'/><EventRecordID>2788583</EventRecordID><Channel>Application</Channel><Computer>_destinationhostname</Computer><Security UserID='_domainOrigin\_originUser'/></System><EventData><Data>System.ServiceModel.ServiceHostingEnvironment+HostingManager/60375305</Data><Data>System.ServiceModel.ServiceActivationException: The service '/LogRhythm.KB.Admin.v6.1/AdminService.svc' cannot be activated due to an exception during compilation. The exception message is: Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'lr-kb-intweb01.lrprod.inter'. Provide a more specific find value.. ---> System.InvalidOperationException: Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'lr-kb-intweb01.lrprod.inter'. Provide a more specific find value.

at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
at System.ServiceModel.Configuration.X509RecipientCertificateServiceElement.ApplyConfiguration(X509CertificateRecipientServiceCredential cert)
at System.ServiceModel.Configuration.ServiceCredentialsElement.ApplyConfiguration(ServiceCredentials behavior)
at System.ServiceModel.Configuration.ServiceCredentialsElement.CreateBehavior()
at System.ServiceModel.Description.ConfigLoader.LoadBehaviors[T](ServiceModelExtensionCollectionElement`1 behaviorElement, KeyedByTypeCollection`1 behaviors, Boolean commonBehaviors)
at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action`1 addBaseAddress, Boolean skipHost)
at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection)
at System.ServiceModel.ServiceHost.ApplyConfiguration()
at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)
at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(Type serviceType, Uri[] baseAddresses)
at System.ServiceModel.Activation.ServiceHostFactory.CreateServiceHost(String constructorString, Uri[] baseAddresses)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
--- End of inner exception stack trace ---
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)</Data><Data>w3wp</Data><Data>7296</Data></EventData></Event>

Mapping with LogRhythm Schema  

Device Key in Log Message

Log Value

LogRhythm Schema

Data Type

Provider NameSystem.ServiceModel 5.5.5.5<vendorinfo>Text/String
EventID Qualifiers3<vmid>Number
Levelerror<severity>Text/String
Security UserID_originUser<login>Text/String
Security UserID_domainOrigin<domainorigin>Text/String
N/Aw3wp<process>Text/String
Execution Processid7296<processid>Number
Computer_destinationhostname<dname>Text/String
N/A/LogRhythm.KB.Admin.v6.1/AdminService.svc<object>Text/String
N/Acannot be activated due to an exception during compilation<subject>Text/String