
<div dir="ltr">Happened to me too, on some servers we inherited. Event logs were just too dang big ! we'd need to filter at the source to not send so much, or better yet get them to not log so much (we moved on,so I didn't end up implementing this)<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 22, 2014 at 10:18 AM, Rebman,Scott (HHSC Contractor) <span dir="ltr"><<a href="mailto:Scott.Rebman@hhsc.state.tx.us" target="_blank">Scott.Rebman@hhsc.state.tx.us</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


<div bgcolor="white" link="blue" vlink="purple" lang="EN-US">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">David,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks you for the insight. We will try this and report on the results.<u></u><u></u></span></p><span class="">

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<div>

<p class="MsoNormal"><b><span style="font-size:14.0pt;font-family:"Script MT Bold";color:#1f497d">Scott Allen Rebman</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">

<br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d">Solaris System Administrator

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d">HHS/HHSC/Contractor<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d">TIERS Operations</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">

<br>

</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="tel:%28512%29873-6864" value="+15128736864" target="_blank">(512)873-6864</a> (CrossPark)<br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%28512%29275-6122" value="+15122756122" target="_blank">(512)275-6122</a> (cell)</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:Scott.Rebman@hhsc.state.tx.us" target="_blank">Scott.Rebman@hhsc.state.tx.us</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

</div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

</span><div>

<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> David Baldwin [mailto:<a href="mailto:david.baldwin@ausport.gov.au" target="_blank">david.baldwin@ausport.gov.au</a>]

<br>

<b>Sent:</b> Wednesday, October 22, 2014 2:13 AM<br>

<b>To:</b> Rebman,Scott (HHSC Contractor); <a href="mailto:xymon@xymon.com" target="_blank">xymon@xymon.com</a><br>

<b>Cc:</b> Mills,David (HHSC Contractor)<br>

<b>Subject:</b> Re: [Xymon] Hobbit Server Overload Due To Windows Event Logs<u></u><u></u></span></p>

</div>

</div><div><div class="h5">

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal">Scott,<br>

<br>

I have the following in my /etc/xymon/client-local.cfg file to try to kill the event logs completely - note that the client has to report successfuly to pull this from the server. If that fails, you can paste directly into C:\Program Files (x86)\BBWin\tmp\clientlocal.cfg<br>

<br>

[win32]<br>

log:eventlog_security:10240<br>

ignore .*<br>

ignore .<br>

eventlog:security:10240<br>

ignore handle<br>

ignore .*<br>

ignore .<br>

eventlog:System:10240<br>

ignore .*<br>

ignore .<br>

eventlog:application:10240<br>

ignore .*<br>

ignore .<br>

eventlog:directory service:10240<br>

ignore .*<br>

ignore .<br>

eventlog:dfs replication:10240<br>

ignore .*<br>

ignore .<br>

eventlog:windows powershell:10240<br>

ignore .*<br>

ignore .<br>

<br>

<br>

I process all my Windows servers event logs on a central syslog server forwarded by SNARE using a custom test.<br>

<br>

David.<u></u><u></u></p>

</div>

<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We are at xymon version 4.3.3 and bbwin is at 0.13.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><b><span style="font-size:14.0pt;font-family:"Script MT Bold";color:#1f497d">Scott Allen Rebman</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">

<br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d">Solaris System Administrator

<br>

HHS/HHSC/Contractor</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d">TIERS Operations</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">

<br>

<a href="tel:%28512%29873-6864" value="+15128736864" target="_blank">(512)873-6864</a> (CrossPark)<br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#1f497d"><a href="tel:%28512%29275-6122" value="+15122756122" target="_blank">(512)275-6122</a> (cell)</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="mailto:Scott.Rebman@hhsc.state.tx.us" target="_blank">Scott.Rebman@hhsc.state.tx.us</a></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">_____________________________________________<br>

<b>From:</b> Rebman,Scott (HHSC Contractor) <br>

<b>Sent:</b> Tuesday, October 21, 2014 12:22 PM<br>

<b>To:</b> <a href="mailto:xymon@xymon.com" target="_blank">xymon@xymon.com</a><br>

<b>Cc:</b> Mills,David (HHSC Contractor)<br>

<b>Subject:</b> Hobbit Server Overload Due To Windows Event Logs</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">We’re trying to completely shut down all Windows event logs being sent from the clients to the Xymon server. We experimented and only seemed able to achieve this by deleting

 the:<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">                <load name="msgs" value="msgs.dll"/><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">line and the entire “<msgs> …</msgs>” stanza from the local BBWin.cfg. We thought we had a recipe for success on the rest of our Windows clients but when we started trying

 to make it work on two other boxes, we found that the “procs” and “timediff” tests went purple!<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">We experimented by putting parts of the <msgs> … stanza back in but we found that (apparently) the client data was not making it back to the server from the client after

 the mods. So – we got it working on our test box, but on two other “live” boxes it failed and interfered with other tests.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This is a hot item for us since our Hobbit server is being overwhelmed by incoming data, in large part coming from these huge Windows event logs.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks!<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><b><span style="font-size:14.0pt;font-family:"Script MT Bold"">Scott Allen Rebman</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">

<br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Solaris System Administrator

<br>

HHS/HHSC/Contractor</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">TIERS Operations</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">

<br>

<a href="tel:%28512%29873-6864" value="+15128736864" target="_blank">(512)873-6864</a> (CrossPark)<br>

</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><a href="tel:%28512%29275-6122" value="+15122756122" target="_blank">(512)275-6122</a> (cell)</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:Scott.Rebman@hhsc.state.tx.us" target="_blank">Scott.Rebman@hhsc.state.tx.us</a><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<p class="MsoNormal"><br>

<br>

<br>

<u></u><u></u></p>

<pre>_______________________________________________<u></u><u></u></pre>

<pre>Xymon mailing list<u></u><u></u></pre>

<pre><a href="mailto:Xymon@xymon.com" target="_blank">Xymon@xymon.com</a><u></u><u></u></pre>

<pre><a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><u></u><u></u></pre>

</blockquote>

<p class="MsoNormal"><br>

<br>

<br>

<u></u><u></u></p>

<pre>-- <u></u><u></u></pre>

<pre>David Baldwin - Senior Systems Administrator (Datacentres + Networks)<u></u><u></u></pre>

<pre>Information and Communication Technology Services<u></u><u></u></pre>

<pre>Australian Sports Commission          <a href="http://ausport.gov.au" target="_blank">http://ausport.gov.au</a><u></u><u></u></pre>

<pre>Tel 02 62147266 Fax 02 62141830       PO Box 176 Belconnen ACT 2616<u></u><u></u></pre>

<pre><a href="mailto:david.baldwin@ausport.gov.au" target="_blank">david.baldwin@ausport.gov.au</a>          1 Leverrier Street Bruce ACT 2617<u></u><u></u></pre>

<pre>Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE<u></u><u></u></pre>

<p class="MsoNormal"><u></u> <u></u></p>

<div class="MsoNormal" style="text-align:center" align="center">

<hr align="center" size="3" width="100%">

</div>

<p class="MsoNormal">Keep up to date with what's happening in Australian sport visit

<a href="http://www.ausport.gov.au" target="_blank">www.ausport.gov.au</a> <br>

<br>

<span style="font-size:7.5pt;font-family:"Arial","sans-serif"">This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying

 or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.</span>

<u></u><u></u></p>

<div class="MsoNormal" style="text-align:center" align="center">

<hr align="center" size="3" width="100%">

</div>

</div></div></div>

</div>


<br>_______________________________________________<br>

Xymon mailing list<br>

<a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>

<a href="http://lists.xymon.com/mailman/listinfo/xymon" target="_blank">http://lists.xymon.com/mailman/listinfo/xymon</a><br>

<br></blockquote></div><br></div>