Log Jam

Use caution when setting log file limits; plus, some scripting books to check out.

Bill: We enabled auditing on our domain controllers for just about every option, including logon/logoff, object access and privilege use. We also enabled the option to shut down the server if the Security log gets full. The log fills up pretty quickly, so we have increased the size to 2GB. I've heard that having a huge security log isn't such a good idea. Anything you can tell me is appreciated.

Chris: As you probably saw when you set the Event Log size, the user interface allows you to create a log as large as 4GB in Windows 2000 and Windows Server 2003. The UI fibs to you, though, because the Event Logs are memory-mapped files. As it turns out, there's a limit on memory-mapped file sizes. The limit is 1GB, but it applies to all memory-mapped files opened by a particular process. The Services.exe process owns the Event Logging Service, so the 1GB limit applies to the combination of all Event Log files plus any files opened by Services.exe.

This effectively limits the overall size for the combination of all Event Logs to about 300 MB. If you specify a larger aggregate file size, the system will not let the files grow beyond the memory-mapped limit and will begin overwriting the oldest entries if you allow them to do do. The Security log should be configured to not permit overwriting, so it's possible that you'll reach the limit that shuts down the server long before the file reaches the size you specified.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

You can avoid this problem by regularly dumping the event logs when they reach their maximum file size. In Windows 2000 SP4 and Windows Server 2003, you can configure the system to automatically dump a log to a file and start a fresh log when it gets full. This is done with a Registry entry called AutoBackupLogFiles. Microsoft Knowledge Base article 312571, "The Event Log Stops Logging Events Before Reaching the Maximum Log Size," details how to configure this entry.

So, set the Security log to a size that captures a reasonable amount of information, such as 128MB, and set the other Event Logs to not exceed a total of 300MB. Don't forget to clear out the saved dump files every once in a while to avoid filling up the C: drive.

Hope this helps.

Scripting Feedback
Quite a few readers wrote in concerning last week's scripting column.

Dom wrote to ask about the new Microsoft Windows Scripting Self-Paced Learning Guide by Ed Wilson and Microsoft Windows Command-Line Administrator's Pocket Consultant, by William R. Stanek, both from Microsoft Press. I have read both books and found them to be well-written and useful. The Command-Line Administrator book isn't so much a scripting book as it is a reference guide to the command-line interface (CLI) tools in Windows Server 2003, but if you want to build batch files instead of writing scripts (and I do this quite a bit), then this looks like a great reference. The Self-Paced Learning Guide is a great way to get started with Windows scripting if you plan on using VBScript. As I said last week, if you want to do cross-platform scripts, I'd take a look at Python.

Another reader wrote to praise Teach Yourself Windows Script Host in 21 Days by Charles Williams, et al (Sams).

Jeffrey Snover, a software architect from Microsoft, wrote to remind me about the great work being done in Longhorn for a new shell language, code named "Monad." The current formal title is Microsoft Shell, or MSH. You can find out more about MSH from
msdn.microsoft.com/theshow/episode043/default.asp and you can get a slide
deck from
download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2-893d-a6f2295b40c8/TW04038_WINHEC2004.ppt. I'm using the beta MSH now and I can tell you that it is innovative and powerful. Hopefully a public beta will be forthcoming soon.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Tue, Jul 13, 2004 HokieJimbo Blacksburg,VA

Bob, I'm curious what 3rd party tool did you use to send eventlog to Syslog? I've been looking for one for my relatively small department at Virginia Tech. The open-source NTSyslog looks buggy... or anyone else? ideas?

Wed, Jul 7, 2004 MrTibbs Anonymous

The KB article 312571 mentioned states that the issue was fixed in SP4. So is the log dumping still necessary?

Wed, Jul 7, 2004 Charlie Boston

You can keep the Security Log from shutting down the server by choosing "Overwrite events as needed" rather than the default of "Overwrite events older than 7 days". I believe the former is the default in 2003 Server.

Wed, Jul 7, 2004 James California

Perhaps I'm missing something. How did you go from 1GB for files to 300MB for the logs?

Wed, Jul 7, 2004 Bob Arizona

I've had trouble with log sizes that exceed even 20-30mb, especially when trying to view the logs with Event Viewer--sometimes column sorts can't occur fast enough before new log entries are being created--I'd get a message to the effect that there is new information, do I want to include it. Responding YES just refreshes the display, effectively canceling a column sort function. Responding NO is even worse--a completely blank display.

You basically have to save the logs and read them offline.

An alternative that I use now is a third party SYSLOG compliant tool---it takes my EVT logs, and sends them to a SYSLOGging linux box. On a daily basis, the syslog system compress the hundreds of MBs of logfiles into a GZ archive, easily shrinking the log by a factor of 10, which I can still ZGrep through. The active days logs are in noncompressed form, so I just grep through those.

The 3rd party tool also supports log consolidation to other, more MS recognizeable formats, including excel spreadsheets or SQL Server--I've been meaning to explore the use of MSDE for this, a full SQL License would certainly add to the cost of centralized logging.

I've heard a rumor that an upcoming feaure pack for Win2K3 Server will include a centralized logging component, likely based upon SQL too.


Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.