[Xymon] Hobbit Server Overload Due To Windows Event Logs

David Baldwin david.baldwin at ausport.gov.au
Wed Oct 22 09:12:35 CEST 2014


Scott,

I have the following in my /etc/xymon/client-local.cfg file to try to
kill the event logs completely - note that the client has to report
successfuly to pull this from the server. If that fails, you can paste
directly into C:\Program Files (x86)\BBWin\tmp\clientlocal.cfg

[win32]
log:eventlog_security:10240
ignore .*
ignore .
eventlog:security:10240
ignore handle
ignore .*
ignore .
eventlog:System:10240
ignore .*
ignore .
eventlog:application:10240
ignore .*
ignore .
eventlog:directory service:10240
ignore .*
ignore .
eventlog:dfs replication:10240
ignore .*
ignore .
eventlog:windows powershell:10240
ignore .*
ignore .


I process all my Windows servers event logs on a central syslog server
forwarded by SNARE using a custom test.

David.
> We are at xymon version 4.3.3 and bbwin is at 0.13.
>  
> *Scott Allen Rebman*
> Solaris System Administrator
> HHS/HHSC/Contractor
> TIERS Operations
> (512)873-6864 (CrossPark)
> (512)275-6122 (cell)
> Scott.Rebman at hhsc.state.tx.us
>  
>  
>  
>  
> _____________________________________________
> *From:* Rebman,Scott (HHSC Contractor)
> *Sent:* Tuesday, October 21, 2014 12:22 PM
> *To:* xymon at xymon.com
> *Cc:* Mills,David (HHSC Contractor)
> *Subject:* Hobbit Server Overload Due To Windows Event Logs
>  
>  
> We’re trying to completely shut down all Windows event logs being sent
> from the clients to the Xymon server. We experimented and only seemed
> able to achieve this by deleting the:
>  
>                 <load name="msgs" value="msgs.dll"/>
>  
> line and the entire “<msgs> …</msgs>” stanza from the local BBWin.cfg.
> We thought we had a recipe for success on the rest of our Windows
> clients but when we started trying to make it work on two other boxes,
> we found that the “procs” and “timediff” tests went purple!
>  
> We experimented by putting parts of the <msgs> … stanza back in but we
> found that (apparently) the client data was not making it back to the
> server from the client after the mods. So – we got it working on our
> test box, but on two other “live” boxes it failed and interfered with
> other tests.
>  
> This is a hot item for us since our Hobbit server is being overwhelmed
> by incoming data, in large part coming from these huge Windows event logs.
>  
> Thanks!
>  
> *Scott Allen Rebman*
> Solaris System Administrator
> HHS/HHSC/Contractor
> TIERS Operations
> (512)873-6864 (CrossPark)
> (512)275-6122 (cell)
> _Scott.Rebman at hhsc.state.tx.us_ <mailto:Scott.Rebman at hhsc.state.tx.us>
>  
>  
>  
>  
>  
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon


-- 
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Information and Communication Technology Services
Australian Sports Commission          http://ausport.gov.au
Tel 02 62147266 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
david.baldwin at ausport.gov.au          1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE


-------------------------------------------------------------------------------------
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au

This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
-------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20141022/7a5999e3/attachment.html>


More information about the Xymon mailing list