I'm experimenting with logwatch parser configurations for Windows Event Logs, specifically with our ADFS farm:
<parser>
<file>*AD FS/Admin</file>
<macros>
</macros>
<rules>
<rule>
<match>.+?Error message: [ \r\n]+(.+?)-(.+) .+</match>
<id>342</id>
<event param="2">100123</event>
</rule>
</rules>
</parser>But it appears I'm blowing up EvtRender call, message too big?
2020.05.25 15:55:17.555 *I* [ ] NetXMS Agent started
2020.05.25 15:55:24.773 *D* [ ] PostEvent(): event_code=100123, event_name=(null), timestamp=1590386123, num_args=10, arg[0]="[email protected]", arg[1]="The", arg[2]="AD FS", arg[3]="342", arg[4]="1", arg[5]="11902", arg[6]="1", arg[7]="http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName", arg[8]="[email protected] user name or password is incorrect", arg[9]="System.IdentityModel.Tokens.SecurityTokenValidationException: [email protected] ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)
at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)"
2020.05.25 15:55:24.773 *D* [logwatch ] ExtractVariables: Call to EvtRender failed: The data area passed to a system call is too small.
Yes, it looks like message is too big (or rather supplied buffer is too small). I've registered an issue in our bug tracker: https://track.radensolutions.com/issue/NX-1863 (https://track.radensolutions.com/issue/NX-1863)
Best regards,
Victor