MMcDonald
asked on
Are Windows 2008 R2 Event Logs memory-mapped?
I just have a question. Are Windows 2008 R2 Event Logs memory-mapped? I know in Windows 2003, they are, and I sometimes had headaches regarding setting maximum log sizes (over default).
It was my understanding that 2008 would remove the memory-mapping dependency for event logs. Especially since they now have a recommended maximum log size of 4 GB.
The following article hints that 2008 does not use memory mapped files, but maybe I'm misinterpreting it. http://technet.microsoft.com/en-us/library/cc722385(WS.10).aspx
It was my understanding that 2008 would remove the memory-mapping dependency for event logs. Especially since they now have a recommended maximum log size of 4 GB.
The following article hints that 2008 does not use memory mapped files, but maybe I'm misinterpreting it. http://technet.microsoft.com/en-us/library/cc722385(WS.10).aspx
No, this was changed in 2008.
ASKER
That's what I thought, however we just had an issue with several of our Windows 2008 R2 domain controllers.
We noticed we had a lot of memory issues occurring. We have found the security event log to be over 2 GB in size due to excessive auditing (an issue in and of itself). The server had virtually 0 bytes of RAM free and was running horribly. WMI queries against it would fail citing not enough memory available. Etc, etc.
Upon clearing the event log, the server released almost 2 GBs worth of RAM and it is now performing as expected.
The above results indicate that event logs are still memory-mapped. Unfortunately I cannot find any information pointing one way or the other outside of what I posted above, which isn't very clear.
We noticed we had a lot of memory issues occurring. We have found the security event log to be over 2 GB in size due to excessive auditing (an issue in and of itself). The server had virtually 0 bytes of RAM free and was running horribly. WMI queries against it would fail citing not enough memory available. Etc, etc.
Upon clearing the event log, the server released almost 2 GBs worth of RAM and it is now performing as expected.
The above results indicate that event logs are still memory-mapped. Unfortunately I cannot find any information pointing one way or the other outside of what I posted above, which isn't very clear.
ASKER
I have replicated my above findings again on another 2008 R2 DC with 2GB RAM. The DC was at 91% memory utilization (interestingly enough task manager did not list a process showing this memory being consumed). The security event log was at 1GB in size (we have it limited to 1GB via GPO). As soon as I cleared the log, my memory utilization dropped by nearly half.
To me, it's pretty clear that event logs are still memory mapped.
To me, it's pretty clear that event logs are still memory mapped.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.