Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Event Log Full!

Posted on 2006-10-31
13
Medium Priority
?
302 Views
Last Modified: 2012-06-27
Hi,

We have been told that we must capture all login information on all AD servers. To do this I increaseed the size of the log to 1.5GB and changed the overwrite option to overwrite anything that is older than 21 days.

The problem we have is that the event log gets to 380MB (or thereabouts) and says it is full. This happens on all servers.

The server OS is Windows 2003 SP1.

Any help will be much appreciated.

Thanks,

Jamie
0
Comment
Question by:neverfailit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 17845951
0
 

Author Comment

by:neverfailit
ID: 17846115
Thanks for getting back to me.

The first article seems to be the probvlem that we are having. I have been in touch with Microsoft for the hotfix and they say that the hotfix is only available for W2K Servers.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17846171
Interesting...maybe they should change the "Applies To" section then!

Can you add any of those keys to the registry to see if the mechanism is already built in?

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 51

Expert Comment

by:Netman66
ID: 17846192
Have you attempted to Save the logs then clear them since you increased the size?  Article 2 discusses this.

0
 

Author Comment

by:neverfailit
ID: 17846208
I will try the reg keys option and let yuou know.

I have cleared the logs multiple times and nothing changes.

Thanks again,

Jamie
0
 

Author Comment

by:neverfailit
ID: 17846878
The registry change seems to have worked. The log file reached its limit of 385,152KB and the system then backed up the archive and cleared it out too. This is a good work around for me but it still doesn't explain why I have my max log file size set to 1,499,968KB and Windows decides to only let it reach 385,152KB. I suppose I could try and write a script that would delete any files that are over 21 days old so that we don't run out of disk space. I'll accept this answer so you can get the points but if you have any info why the log file will not reach my desired limit then please let me know.

Thanks again for your help,

Jamie
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17846921
I'm still investigating this.  I seem to recall a TechNet article, but it may only be Partner Level.  I'll let you know.

NM
0
 

Author Comment

by:neverfailit
ID: 17846929
Thanks.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17846976
It looks like the first article I posted is the one I was thinking of.

I found out that your size must be a multiple of 64:

"However, it must be a multiple of 64"

Taken directly out of this article:

http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch06n.mspx

Perhaps, it's just that simple??

Let me know.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17846988
or...

maybe there is a GPO that has been set somewhere that defines your upper limit to 385 MB.

You can run a GPRESULT on the server to see what policies are being applied to the Computer then open them in GPMC.msc to see what settings are configured.

0
 

Author Comment

by:neverfailit
ID: 17847001
I have specified the file size by GPO and it is set to 1,499,968KB. This is definitely being pushed out to all DCs. The file size is definitely a multiple of 64.

I think it is probably just a limitation due to the file being a memory mapped file. I'll work out a script and work around it.

Thanks again.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 17847011
Sorry about the flurry of posts - I just read that link I sent you last.  It explains quite clearly what's going on.

All the processes of Services.exe (including evenlog.dll) cannot consume more memory than is physically available.  Therefore, your 3 logs set to 1.5GB assumes that at least 4.5GB of RAM be available just for them (not taking anything else that runs under Services.exe).

Apparently, you're lucky as MS confirms that all 3 logs should total no more than 300MB in practice.  So you hit 385 per log which tells me you have a fair bit of RAM in that server already.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 17847023
I think you understand it correctly.  Actually, it's something I've touched on, but until now never fully researched.  This question should be a good resource for others.

Glad to help - and finally get some answers myself!

0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question