NetXMS Support Forum

I'm experimenting with logwatch parser configurations for Windows Event Logs, specifically with our ADFS farm:
<parser>
    <file>*AD FS/Admin</file>
    <macros>
    </macros>
    <rules>
<rule>
<match>.+?Error message: [ \r\n]+(.+?)-(.+) .+</match>
            <id>342</id>
<event param="2">100123</event>
        </rule>
    </rules>
</parser>

But it appears I'm blowing up EvtRender call, message too big?
2020.05.25 15:55:17.555 *I* [                   ] NetXMS Agent started
2020.05.25 15:55:24.773 *D* [                   ] PostEvent(): event_code=100123, event_name=(null), timestamp=1590386123, num_args=10, arg[0]="[email protected]", arg[1]="The", arg[2]="AD FS", arg[3]="342", arg[4]="1", arg[5]="11902", arg[6]="1", arg[7]="http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName", arg[8]="[email protected] user name or password is incorrect", arg[9]="System.IdentityModel.Tokens.SecurityTokenValidationException: [email protected] ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

   at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

   at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

   at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

   at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)

   at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)

   at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)



System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

   at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

   at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

   at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

   at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)"
2020.05.25 15:55:24.773 *D* [logwatch           ] ExtractVariables: Call to EvtRender failed: The data area passed to a system call is too small.


Yes, it looks like message is too big (or rather supplied buffer is too small). I've registered an issue in our bug tracker: https://track.radensolutions.com/issue/NX-1863

Best regards,
Victor