[Xymon] Hobbit Server Overload Due To Windows Event Logs

Betsy Schwartz betsy.schwartz at gmail.com
Mon Oct 27 02:47:14 CET 2014


Happened to me too, on some servers we inherited. Event logs were just too
dang big ! we'd need to filter at the source to not send so much, or better
yet get them to not log so much (we moved on,so I didn't end up
implementing this)

On Wed, Oct 22, 2014 at 10:18 AM, Rebman,Scott (HHSC Contractor) <
Scott.Rebman at hhsc.state.tx.us> wrote:

>  David,
>
>
>
> Thanks you for the insight. We will try this and report on the results.
>
>
>
> *Scott Allen Rebman*
> Solaris System Administrator
> HHS/HHSC/Contractor
>
> TIERS Operations
> (512)873-6864 (CrossPark)
> (512)275-6122 (cell)
>
> Scott.Rebman at hhsc.state.tx.us
>
>
>
>
>
>
>
> *From:* David Baldwin [mailto:david.baldwin at ausport.gov.au]
> *Sent:* Wednesday, October 22, 2014 2:13 AM
> *To:* Rebman,Scott (HHSC Contractor); xymon at xymon.com
> *Cc:* Mills,David (HHSC Contractor)
> *Subject:* Re: [Xymon] Hobbit Server Overload Due To Windows Event Logs
>
>
>
> Scott,
>
> I have the following in my /etc/xymon/client-local.cfg file to try to kill
> the event logs completely - note that the client has to report successfuly
> to pull this from the server. If that fails, you can paste directly into
> C:\Program Files (x86)\BBWin\tmp\clientlocal.cfg
>
> [win32]
> log:eventlog_security:10240
> ignore .*
> ignore .
> eventlog:security:10240
> ignore handle
> ignore .*
> ignore .
> eventlog:System:10240
> ignore .*
> ignore .
> eventlog:application:10240
> ignore .*
> ignore .
> eventlog:directory service:10240
> ignore .*
> ignore .
> eventlog:dfs replication:10240
> ignore .*
> ignore .
> eventlog:windows powershell:10240
> ignore .*
> ignore .
>
>
> I process all my Windows servers event logs on a central syslog server
> forwarded by SNARE using a custom test.
>
> David.
>
>  We are at xymon version 4.3.3 and bbwin is at 0.13.
>
>
>
> *Scott Allen Rebman*
> Solaris System Administrator
> HHS/HHSC/Contractor
>
> TIERS Operations
> (512)873-6864 (CrossPark)
> (512)275-6122 (cell)
>
> Scott.Rebman at hhsc.state.tx.us
>
>
>
>
>
>
>
>
>
> _____________________________________________
> *From:* Rebman,Scott (HHSC Contractor)
> *Sent:* Tuesday, October 21, 2014 12:22 PM
> *To:* xymon at xymon.com
> *Cc:* Mills,David (HHSC Contractor)
> *Subject:* Hobbit Server Overload Due To Windows Event Logs
>
>
>
>
>
> We’re trying to completely shut down all Windows event logs being sent
> from the clients to the Xymon server. We experimented and only seemed able
> to achieve this by deleting the:
>
>
>
>                 <load name="msgs" value="msgs.dll"/>
>
>
>
> line and the entire “<msgs> …</msgs>” stanza from the local BBWin.cfg. We
> thought we had a recipe for success on the rest of our Windows clients but
> when we started trying to make it work on two other boxes, we found that
> the “procs” and “timediff” tests went purple!
>
>
>
> We experimented by putting parts of the <msgs> … stanza back in but we
> found that (apparently) the client data was not making it back to the
> server from the client after the mods. So – we got it working on our test
> box, but on two other “live” boxes it failed and interfered with other
> tests.
>
>
>
> This is a hot item for us since our Hobbit server is being overwhelmed by
> incoming data, in large part coming from these huge Windows event logs.
>
>
>
> Thanks!
>
>
>
> *Scott Allen Rebman*
> Solaris System Administrator
> HHS/HHSC/Contractor
>
> TIERS Operations
> (512)873-6864 (CrossPark)
> (512)275-6122 (cell)
>
> Scott.Rebman at hhsc.state.tx.us
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>  _______________________________________________
>
> Xymon mailing list
>
> Xymon at xymon.com
>
> http://lists.xymon.com/mailman/listinfo/xymon
>
>
>
>
>  --
>
> David Baldwin - Senior Systems Administrator (Datacentres + Networks)
>
> Information and Communication Technology Services
>
> Australian Sports Commission          http://ausport.gov.au
>
> Tel 02 62147266 Fax 02 62141830       PO Box 176 Belconnen ACT 2616
>
> david.baldwin at ausport.gov.au          1 Leverrier Street Bruce ACT 2617
>
> Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
>
>
>  ------------------------------
>
> Keep up to date with what's happening in Australian sport visit
> www.ausport.gov.au
>
> This message is intended for the addressee named and may contain
> confidential and privileged information. If you are not the intended
> recipient please note that any form of distribution, copying or use of this
> communication or the information in it is strictly prohibited and may be
> unlawful. If you receive this message in error, please delete it and notify
> the sender.
>  ------------------------------
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20141026/ad0c30b3/attachment.html>


More information about the Xymon mailing list