EvtRender() failed after update 4.7 → 5.2

3
responses

RAZR

Hello, After updating 4.7 → 5.2 every 20-40mins ERROR appears,

ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.

Is it safe to ignore?

ERROR EvtRender,

AskedFebruary 1, 2021 - 2:03am

Comments (3)

RAZR

Leave a comment

Every time after 3-4 hours of working, nxlog stop processing events and even write to nxlog.log Last messages from nxlog.log

2021-02-04 05:49:07 ERROR [im_msvistalog|winlog] Couldn't retrieve eventlog fields from xml, EvtRender() failed; The data area passed to a system call is too small.  
2021-02-04 05:49:32 ERROR [im_msvistalog|winlog] last message repeated 24 times

How to define events that triggers this ERRORs and crush reasons?

February 4, 2021 - 9:42am

manuel.munoz (NXLog)
Leave a comment
You could use log_info($raw_event); function in order to print the offending event to nxlog.log.

February 4, 2021 - 10:25am

RAZR
Leave a comment
Thanks!

It seems, that im_msvistalog struggle with this error, when trying to parse huge EventData fields from

Microsoft-Windows-PowerShell/Operational EventID=4104

EventData in this events contains ScriptBlockText which is very huge and contains special characters.

Is it possible to fix this?

Or disable EventData parsing somehow in im_msvistalog for specific EventID ?

I can provide event sample, to reproduce ERROR btw
February 5, 2021 - 5:43pm

You are here

EvtRender() failed after update 4.7 → 5.2

Comments (3)

Answers (0)