Technical Tip: FSSO is missing logon information and 'Error: Insufficient buffer' is present in Collector Agent logs (debug)
| Description | This article describes an issue where the FSSO Collector Agent (CA) may miss user logon events when the monitoring method “Check Windows Security Event Logs” is used.
When certain features or auditing policies are enabled on a Domain Controller (DC), the size of Windows Security Event Log records may increase significantly. If an event record exceeds the buffer size allocated by the FSSO Collector Agent during event processing, the CA cannot parse the event properly. In such cases, the Windows API returns the error:
ERROR_INSUFFICIENT_BUFFER
When this condition occurs, the Collector Agent is unable to parse the event record and therefore skips the event entirely. As a result, the Collector Agent may miss user logon events such as:
Since the Collector Agent cannot process these events, the corresponding user login information is not forwarded to the FortiGate, which may lead to:
This behavior is typically observed in environments where:
|
| Scope | FortiGate. |
| Solution | To prevent this issue, it is recommended to switch the FSSO monitoring method to WMI (Windows Management Instrumentation). See the image below:
The WMI method retrieves logon information using Windows management interfaces rather than parsing Security Event Log records directly. Because of this, it is not affected by event log record size limitations, making it more reliable in environments where security events contain large payloads. To change the monitoring method in the FSSO Collector Agent:
After switching to WMI monitoring, verify that user logon events are being properly detected and forwarded to the FortiGate.
On the FortiGate CLI, verify whether the user logon information is received:
diagnose debug authd fsso list Note: This behavior has been implemented since v5.0272 (in previous releases, the FSSO processing got stuck). |
