Log Jam

Use caution when setting log file limits; plus, some scripting books to check out.

Bill: We enabled auditing on our domain controllers for just about every option, including logon/logoff, object access and privilege use. We also enabled the option to shut down the server if the Security log gets full. The log fills up pretty quickly, so we have increased the size to 2GB. I've heard that having a huge security log isn't such a good idea. Anything you can tell me is appreciated.

Chris: As you probably saw when you set the Event Log size, the user interface allows you to create a log as large as 4GB in Windows 2000 and Windows Server 2003. The UI fibs to you, though, because the Event Logs are memory-mapped files. As it turns out, there's a limit on memory-mapped file sizes. The limit is 1GB, but it applies to all memory-mapped files opened by a particular process. The Services.exe process owns the Event Logging Service, so the 1GB limit applies to the combination of all Event Log files plus any files opened by Services.exe.

This effectively limits the overall size for the combination of all Event Logs to about 300 MB. If you specify a larger aggregate file size, the system will not let the files grow beyond the memory-mapped limit and will begin overwriting the oldest entries if you allow them to do do. The Security log should be configured to not permit overwriting, so it's possible that you'll reach the limit that shuts down the server long before the file reaches the size you specified.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

You can avoid this problem by regularly dumping the event logs when they reach their maximum file size. In Windows 2000 SP4 and Windows Server 2003, you can configure the system to automatically dump a log to a file and start a fresh log when it gets full. This is done with a Registry entry called AutoBackupLogFiles. Microsoft Knowledge Base article 312571, "The Event Log Stops Logging Events Before Reaching the Maximum Log Size," details how to configure this entry.

So, set the Security log to a size that captures a reasonable amount of information, such as 128MB, and set the other Event Logs to not exceed a total of 300MB. Don't forget to clear out the saved dump files every once in a while to avoid filling up the C: drive.

Hope this helps.

Scripting Feedback
Quite a few readers wrote in concerning last week's scripting column.

Dom wrote to ask about the new Microsoft Windows Scripting Self-Paced Learning Guide by Ed Wilson and Microsoft Windows Command-Line Administrator's Pocket Consultant, by William R. Stanek, both from Microsoft Press. I have read both books and found them to be well-written and useful. The Command-Line Administrator book isn't so much a scripting book as it is a reference guide to the command-line interface (CLI) tools in Windows Server 2003, but if you want to build batch files instead of writing scripts (and I do this quite a bit), then this looks like a great reference. The Self-Paced Learning Guide is a great way to get started with Windows scripting if you plan on using VBScript. As I said last week, if you want to do cross-platform scripts, I'd take a look at Python.

Another reader wrote to praise Teach Yourself Windows Script Host in 21 Days by Charles Williams, et al (Sams).

Jeffrey Snover, a software architect from Microsoft, wrote to remind me about the great work being done in Longhorn for a new shell language, code named "Monad." The current formal title is Microsoft Shell, or MSH. You can find out more about MSH from
msdn.microsoft.com/theshow/episode043/default.asp and you can get a slide
deck from
download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2-893d-a6f2295b40c8/TW04038_WINHEC2004.ppt. I'm using the beta MSH now and I can tell you that it is innovative and powerful. Hopefully a public beta will be forthcoming soon.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.


comments powered by Disqus

Subscribe on YouTube