Log Jam
Use caution when setting log file limits; plus, some scripting books to check out.
- By Bill Boswell
- July 06, 2004
Bill: We enabled auditing on our domain controllers for
just about every option, including logon/logoff, object access and privilege
use. We also enabled the option to shut down the server if the Security
log gets full. The log fills up pretty quickly, so we have increased the
size to 2GB. I've heard that having a huge security log isn't such a good
idea. Anything you can tell me is appreciated.
—Chris
Chris: As you probably saw when you set the Event Log size,
the user interface allows you to create a log as large as 4GB in Windows
2000 and Windows Server 2003. The UI fibs to you, though, because the
Event Logs are memory-mapped files. As it turns out, there's a limit on
memory-mapped file sizes. The limit is 1GB, but it applies to all memory-mapped
files opened by a particular process. The Services.exe process owns the
Event Logging Service, so the 1GB limit applies to the combination of
all Event Log files plus any files opened by Services.exe.
This effectively limits the overall size for the combination of all Event
Logs to about 300 MB. If you specify a larger aggregate file size, the
system will not let the files grow beyond the memory-mapped limit and
will begin overwriting the oldest entries if you allow them to do do.
The Security log should be configured to not permit overwriting, so it's
possible that you'll reach the limit that shuts down the server long before
the file reaches the size you specified.
Get
Help from Bill |
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
|
|
|
You can avoid this problem by regularly dumping the event logs when they
reach their maximum file size. In Windows 2000 SP4 and Windows Server
2003, you can configure the system to automatically dump a log to a file
and start a fresh log when it gets full. This is done with a Registry
entry called AutoBackupLogFiles. Microsoft Knowledge Base article 312571,
"The Event Log Stops Logging Events Before Reaching the Maximum Log
Size," details how to configure this entry.
So, set the Security log to a size that captures a reasonable amount
of information, such as 128MB, and set the other Event Logs to not exceed
a total of 300MB. Don't forget to clear out the saved dump files every
once in a while to avoid filling up the C: drive.
Hope this helps.
Scripting Feedback
Quite a few readers wrote in concerning last
week's scripting column.
Dom wrote to ask about the new Microsoft
Windows Scripting Self-Paced Learning Guide by Ed Wilson and Microsoft
Windows Command-Line Administrator's Pocket Consultant, by William
R. Stanek, both from Microsoft Press. I have read both books and found
them to be well-written and useful. The Command-Line Administrator book
isn't so much a scripting book as it is a reference guide to the command-line
interface (CLI) tools in Windows Server 2003, but if you want to build
batch files instead of writing scripts (and I do this quite a bit), then
this looks like a great reference. The Self-Paced Learning Guide
is a great way to get started with Windows scripting if you plan on using
VBScript. As I said last week, if you want to do cross-platform scripts,
I'd take a look at Python.
Another reader wrote to praise Teach
Yourself Windows Script Host in 21 Days by Charles Williams, et
al (Sams).
Jeffrey Snover, a software architect from Microsoft, wrote to remind
me about the great work being done in Longhorn for a new shell language,
code named "Monad." The current formal title is Microsoft Shell,
or MSH. You can find out more about MSH from
msdn.microsoft.com/theshow/episode043/default.asp
and you can get a slide
deck from
download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2-893d-a6f2295b40c8/TW04038_WINHEC2004.ppt.
I'm using the beta MSH now and I can tell you that it is innovative and
powerful. Hopefully a public beta will be forthcoming soon.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.