Solved

Are Windows 2008 R2 Event Logs memory-mapped?

Posted on 2011-03-07
5
1,704 Views
Last Modified: 2012-05-11
I just have a question.  Are Windows 2008 R2 Event Logs memory-mapped?  I know in Windows 2003, they are, and I sometimes had headaches regarding setting maximum log sizes (over default).  

It was my understanding that 2008 would remove the memory-mapping dependency for event logs.  Especially since they now have a recommended maximum log size of 4 GB.  

The following article hints that 2008 does not use memory mapped files, but maybe I'm misinterpreting it.  http://technet.microsoft.com/en-us/library/cc722385(WS.10).aspx

 As noted in article above
0
Comment
Question by:MMcDonald
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 3

Expert Comment

by:wgray05
ID: 35057152
No, this was changed in 2008.
0
 

Author Comment

by:MMcDonald
ID: 35057328
That's what I thought, however we just had an issue with several of our Windows 2008 R2 domain controllers.

We noticed we had a lot of memory issues occurring.  We have found the security event log to be over 2 GB in size due to excessive auditing (an issue in and of itself).  The server had virtually 0 bytes of RAM free and was running horribly.  WMI queries against it would fail citing not enough memory available.  Etc, etc.

Upon clearing the event log, the server released almost 2 GBs worth of RAM and it is now performing as expected.

The above results indicate that event logs are still memory-mapped.  Unfortunately I cannot find any information pointing one way or the other outside of what I posted above, which isn't very clear.
0
 

Author Comment

by:MMcDonald
ID: 35332918
I have replicated my above findings again on another 2008 R2 DC with 2GB RAM.  The DC was at 91% memory utilization (interestingly enough task manager did not list a process showing this memory being consumed).  The security event log was at 1GB in size (we have it limited to 1GB via GPO).  As soon as I cleared the log, my memory utilization dropped by nearly half.

To me, it's pretty clear that event logs are still memory mapped.
0
 

Accepted Solution

by:
ee_auto earned 0 total points
ID: 35718506
Question PAQ'd and stored in the solution database.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question