Error Message

Message in the Audit Viewer:

An unexpected error has occurred. First, please check if the audit server is up and running. Then, if the issue still persists, contact your system administrator.

A Dtrace of the w3wp process on the CA server may show exceptions as below. Dtrace exception (formatted with line breaks for easier reading):

Exception: One or more errors occurred. 
Info:{RBO_AuditingWrapper} {CX} 
Diag: 
Type:System.AggregateException 
ST: at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
| at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
| at System.Threading.Tasks.Task`1.get_Result()
| at Veritas.Supervision.AuditDataGenerator.AuditServerConfiguration.AuditServerRestClientBase.Execute(HttpMethod httpMethod, String call, Object content, String eTag)
| at Veritas.Supervision.AuditDataGenerator.AuditServerConfiguration.AuditServerRestClientBase.Post(String call, Object content)
| at Veritas.Supervision.EnhancedAuditing.EnhancedAuditor.SelectAuditRecords[T](String auditquery)
| at KVS.Accelerator.RBO.RBO_Auditing.GetAuditRecords(String query)
| at Veritas.Supervision.ApiEndpoint.Infrastructure.RBOWrappers.RBO_AuditingWrapper.GetAuditRecords(ElasticSearchQuery query) 
Inner:System.Net.Http.HttpRequestException: An error occurred while sending the request. 
---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. 
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
| at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
| at System.Net.PooledStream.EndWrite(IAsyncResult asyncResult)
| at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
| --- End of inner exception stack trace ---
| at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
| at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
| --- End of inner exception stack trace ---

ElasticSearch (ES) is installed as a part of the Enhanced Auditing installation. The ES installation creates a certificate with the Enhanced Auditing server name as the Subject Alternate Name (SAN). This should be the fully qualified domain name (FQDN) of the server. However, the NetBIOS name may be listed as a default. This SAN is used to access Audit data via the ES web address (uniform resource locator or URL), which is typically https://.

If Enhanced Auditing is installed on the CA server, the NetBIOS name can be specified for the URL and IIS will correctly handle the interactions. However, if Enhanced Auditing is installed on a server that is not the CA server, the URL specified for ES must be the FQDN of the Enhanced Auditing server, not the NetBIOS name of the Enhanced Auditing server. Specifying the NetBIOS name of the Enhanced Auditing server will cause IIS on the CA server to not correctly interact with the ES server and list the errors above.

The remediation steps are:

- Copy the MSI file of the Enhanced Auditing installer to a local drive on the Enhanced Auditing server. Re-run the Audit Server installation and select the option to Modify the existing installation. Then specify the correct FQDN of the Audit Server's server when configuring Audit Server URL. The installer can take an extended time to complete - this is normal.

- Use Certificate Manager on the Enhanced Auditing server to export the AuditAppCert (Friendly Name) from the Local Computer's Trusted Root Certification Authorities Certificates and import it into the same location on the CA server.

- In the CA Configuration Settings, enter the correct FQDN of the Audit Server in the Audit Server URL.

Note: The CA Installation Guide has more information on the above steps in the section titled Installing and configuring the Enhanced Auditing feature. See the Related Articles for the applicable guide.