After upgrading to SEM 2025.2 and subsequently upgrading agents, we are seeing more instances of Windows systems sending "Misconfigured Windows Event connector: *, stopping connector.". Can be any of the Application/Security/System connectors, or all three. No apparent pattern of commonalities to the servers. Messages I find in spoplog are typically like the following:
(Wed May 14 13:18:35 EDT 2025) II:INFO [NtReader] {VistaSecurity-Windows Security:43} Abnormal event increment detected: Requested: 26595081, Got: 26595080, Gap: -1 records
(Wed May 14 13:18:35 EDT 2025) II:INFO [NtReader] {VistaSecurity-Windows Security:45} Abnormal event increment detected: Requested: 26595081, Got: 26595082, Gap: 1 records
(Wed May 14 13:18:35 EDT 2025) II:INFO [NtReader] {VistaSecurity-Windows Security:43} Abnormal event increment detected: Requested: 26595083, Got: 26595082, Gap: -1 records
(Wed May 14 13:18:35 EDT 2025) EE:ERR [NtReader] {VistaSecurity-Windows Security:45} Exception reading events
java.lang.IllegalArgumentException: capacity < 0: (-56 < 0)
Seems a recycle of the service or just restarting the connector fixes the issue. Bug in the new agent code, or just new agent maybe being more sensitive to reporting issues that have always existed? Never saw these before, certainly not in this volume. Any ideas?
