Skip to main content

Unexpected End of File Error in File Server Monitoring Plan

Symptom

The Netwrix Auditor Health Log contains EventIDs 2002 and 2004:

Unexpected end of file has occurred. 
The following elements are not closed refering to Netwrix .xml files in
the ProgramData directory of the Netwrix server specific to the monitoring plan.

Cause

This error is related to the link-layer protocol. It indicates that no service account has been granted permission to access the Microsoft Link-Layer Discovery Protocol (MSLLD) driver.

Resolution

To address this issue, follow these steps:

  1. Run elevated Command Prompt to execute the following command:

    SC sdshow MSLLDPCopy

    The output should read similar to the following:

    D:(D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
    (A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
    (A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)
    S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

  2. Execute the following command:

    SC sdshow MUPCopy

    The output should read similar to the following:

    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)
    (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)
    (A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

  3. Locate the entry for NT AUTHORITY\ SERVICE represented as (A;;CCLCSWLOCRRC;;;SU). Add it to the original MSLLDP security descriptor property, just before the last S:(AU… group.

  4. Apply the new security descriptor to the MSLLDP service using the following command. Delete the carriage return symbols when copying the command.

    sc sdset mslldp D:
    (D;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BG)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
    (A;;CCDCLCSWRPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
    (A;;LCRPWP;;;S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453)(A;;CCLCSWLOCRRC;;;SU)
    S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)