Symptoms:

• "Last sync status" shows as "Failed" and sometimes as "Success"

• "Last sync date" can be from a long time ago

• Configuring WMI does not solve the issue

• In NSX manager logs (vsm.log), you may see entries similar to:

r: 305849756	Event ID: 4624	Type: 8	Generate at: Mon Oct 22 11:47:06 CEST 2018	Details:[S-1-0-0, -, -, 0x0, S-1-5-21-530208284-1578177633-111032338-231675, ITS33408$, GAVLE, 0x32528c28, 3, Kerberos, Kerberos, -, {076275EF-F075-####-####-########1A3}, -, -, 0, 0x0, -, 192.168.10.154, 50859, %%1833], reached its componenet queue threshold: 1000, user event could be lost.

and 

2018-10-22 16:24:06.973 CEST  WARN taskScheduler-22 WinEventLogCIFSReader:328 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] gkdc1: Error happened when reading event log, will close connection. Error message: The data area passed to a system call is too small.

You see this behavior when you have more than 200 login/min. Currently, IDFW supports 200 login/min in both CIFS and WMI.

Currently there is no resolution.

Workaround:

There is no workaround provided apart from reducing the number of events from event log servers. One alternative for virtual machines is to use Guest Introspection, by doing that there is no need to log scrape to catch the logins.

Impact/Risks:

User events could be lost.