Hobbit Server Overload Due To Windows Event Logs
list Scott Rebman
We're trying to completely shut down all Windows event logs being sent from the clients to the Xymon server. We experimented and only seemed able to achieve this by deleting the:
<load name="msgs" value="msgs.dll"/>
line and the entire "<msgs> ...</msgs>" stanza from the local BBWin.cfg. We thought we had a recipe for success on the rest of our Windows clients but when we started trying to make it work on two other boxes, we found that the "procs" and "timediff" tests went purple!
We experimented by putting parts of the <msgs> ... stanza back in but we found that (apparently) the client data was not making it back to the server from the client after the mods. So - we got it working on our test box, but on two other "live" boxes it failed and interfered with other tests.
This is a hot item for us since our Hobbit server is being overwhelmed by incoming data, in large part coming from these huge Windows event logs.
Thanks!
Scott Allen Rebman
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
list Scott Rebman
We are at xymon version 4.3.3 and bbwin is at 0.13.
▸
Scott Allen Rebman
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
▸
From: Rebman,Scott (HHSC Contractor)
Sent: Tuesday, October 21, 2014 12:22 PM
To: xymon at xymon.com
Cc: Mills,David (HHSC Contractor)
Subject: Hobbit Server Overload Due To Windows Event Logs
We're trying to completely shut down all Windows event logs being sent from the clients to the Xymon server. We experimented and only seemed able to achieve this by deleting the:
<load name="msgs" value="msgs.dll"/>
line and the entire "<msgs> ...</msgs>" stanza from the local BBWin.cfg. We thought we had a recipe for success on the rest of our Windows clients but when we started trying to make it work on two other boxes, we found that the "procs" and "timediff" tests went purple!
We experimented by putting parts of the <msgs> ... stanza back in but we found that (apparently) the client data was not making it back to the server from the client after the mods. So - we got it working on our test box, but on two other "live" boxes it failed and interfered with other tests.
This is a hot item for us since our Hobbit server is being overwhelmed by incoming data, in large part coming from these huge Windows event logs.
Thanks!
Scott Allen Rebman
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid<mailto:user-bcaa70f63753@xymon.invalid>
list Claessens Jurgen
Hi Scott, Open your config file with a text editor that support html layout, like notepad++. This makes it easier for editing. Make comment from the entire section. <!-- <msgs> <\msgs> --> Check if the entire section is now set as comment. As an additional check, you can verify in the eventlog if the service has restarted ok. Regards Jurgen Claessens
▸
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Rebman,Scott (HHSC Contractor)
Sent: dinsdag 21 oktober 2014 19:22
To: xymon at xymon.com
Cc: Mills,David (HHSC Contractor)
Subject: [Xymon] Hobbit Server Overload Due To Windows Event Logs
We're trying to completely shut down all Windows event logs being sent from the clients to the Xymon server. We experimented and only seemed able to achieve this by deleting the:
<load name="msgs" value="msgs.dll"/>
line and the entire "<msgs> ...</msgs>" stanza from the local BBWin.cfg. We thought we had a recipe for success on the rest of our Windows clients but when we started trying to make it work on two other boxes, we found that the "procs" and "timediff" tests went purple!
We experimented by putting parts of the <msgs> ... stanza back in but we found that (apparently) the client data was not making it back to the server from the client after the mods. So - we got it working on our test box, but on two other "live" boxes it failed and interfered with other tests.
This is a hot item for us since our Hobbit server is being overwhelmed by incoming data, in large part coming from these huge Windows event logs.
Thanks!
Scott Allen Rebman
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid<mailto:user-bcaa70f63753@xymon.invalid>
This e-mail and all files transmitted as attachment(s) thereto are confidential and solely intended for the individual to whom or the organization to which they are addressed. If you received this e-mail by mistake, please notify Cegeka's Service user-8170e541d067@xymon.invalid at cegeka.be or call +32 (0)11 240 363. We thank you in advance. Cegeka hereby confirms that this message has been swept by Sophos for the presence of viruses.
list David Baldwin
Scott, I have the following in my /etc/xymon/client-local.cfg file to try to kill the event logs completely - note that the client has to report successfuly to pull this from the server. If that fails, you can paste directly into C:\Program Files (x86)\BBWin\tmp\clientlocal.cfg [win32] log:eventlog_security:10240 ignore .* ignore . eventlog:security:10240 ignore handle ignore .* ignore . eventlog:System:10240 ignore .* ignore . eventlog:application:10240 ignore .* ignore . eventlog:directory service:10240 ignore .* ignore . eventlog:dfs replication:10240 ignore .* ignore . eventlog:windows powershell:10240 ignore .* ignore . I process all my Windows servers event logs on a central syslog server forwarded by SNARE using a custom test. David.
▸
We are at xymon version 4.3.3 and bbwin is at 0.13.
*Scott Allen Rebman*
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
*From:* Rebman,Scott (HHSC Contractor)
*Sent:* Tuesday, October 21, 2014 12:22 PM
*To:* xymon at xymon.com
*Cc:* Mills,David (HHSC Contractor)
*Subject:* Hobbit Server Overload Due To Windows Event Logs
We’re trying to completely shut down all Windows event logs being sent
from the clients to the Xymon server. We experimented and only seemed
able to achieve this by deleting the:
<load name="msgs" value="msgs.dll"/>
line and the entire “<msgs> …</msgs>” stanza from the local BBWin.cfg.
We thought we had a recipe for success on the rest of our Windows
clients but when we started trying to make it work on two other boxes,
we found that the “procs” and “timediff” tests went purple!
We experimented by putting parts of the <msgs> … stanza back in but we
found that (apparently) the client data was not making it back to the
server from the client after the mods. So – we got it working on our
test box, but on two other “live” boxes it failed and interfered with
other tests.
This is a hot item for us since our Hobbit server is being overwhelmed
by incoming data, in large part coming from these huge Windows event logs.
Thanks!
*Scott Allen Rebman*
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-25d2775e4629@xymon.invalid_ <mailto:user-bcaa70f63753@xymon.invalid>
-- David Baldwin - Senior Systems Administrator (Datacentres + Networks) Information and Communication Technology Services Australian Sports Commission http://ausport.gov.au Tel 02 62147266 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid 1 Leverrier Street Bruce ACT 2617 Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Scott Rebman
David, Thanks you for the insight. We will try this and report on the results.
▸
Scott Allen Rebman
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
▸
From: David Baldwin [mailto:user-cbbf693f2c89@xymon.invalid] Sent: Wednesday, October 22, 2014 2:13 AM To: Rebman,Scott (HHSC Contractor); xymon at xymon.com Cc: Mills,David (HHSC Contractor) Subject: Re: [Xymon] Hobbit Server Overload Due To Windows Event Logs Scott, I have the following in my /etc/xymon/client-local.cfg file to try to kill the event logs completely - note that the client has to report successfuly to pull this from the server. If that fails, you can paste directly into C:\Program Files (x86)\BBWin\tmp\clientlocal.cfg [win32] log:eventlog_security:10240 ignore .* ignore . eventlog:security:10240 ignore handle ignore .* ignore . eventlog:System:10240 ignore .* ignore . eventlog:application:10240 ignore .* ignore . eventlog:directory service:10240 ignore .* ignore . eventlog:dfs replication:10240 ignore .* ignore . eventlog:windows powershell:10240 ignore .* ignore . I process all my Windows servers event logs on a central syslog server forwarded by SNARE using a custom test. David. We are at xymon version 4.3.3 and bbwin is at 0.13. Scott Allen Rebman Solaris System Administrator HHS/HHSC/Contractor TIERS Operations (512)873-6864 (CrossPark) (512)275-6122 (cell) user-bcaa70f63753@xymon.invalid<mailto:user-bcaa70f63753@xymon.invalid> From: Rebman,Scott (HHSC Contractor) Sent: Tuesday, October 21, 2014 12:22 PM To: xymon at xymon.com<mailto:xymon at xymon.com> Cc: Mills,David (HHSC Contractor) Subject: Hobbit Server Overload Due To Windows Event Logs We’re trying to completely shut down all Windows event logs being sent from the clients to the Xymon server. We experimented and only seemed able to achieve this by deleting the: <load name="msgs" value="msgs.dll"/> line and the entire “<msgs> …</msgs>” stanza from the local BBWin.cfg. We thought we had a recipe for success on the rest of our Windows clients but when we started trying to make it work on two other boxes, we found that the “procs” and “timediff” tests went purple! We experimented by putting parts of the <msgs> … stanza back in but we found that (apparently) the client data was not making it back to the server from the client after the mods. So – we got it working on our test box, but on two other “live” boxes it failed and interfered with other tests. This is a hot item for us since our Hobbit server is being overwhelmed by incoming data, in large part coming from these huge Windows event logs. Thanks! Scott Allen Rebman Solaris System Administrator HHS/HHSC/Contractor TIERS Operations (512)873-6864 (CrossPark) (512)275-6122 (cell) user-bcaa70f63753@xymon.invalid<mailto:user-bcaa70f63753@xymon.invalid> -- David Baldwin - Senior Systems Administrator (Datacentres + Networks) Information and Communication Technology Services Australian Sports Commission http://ausport.gov.au Tel 02 62147266 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
user-cbbf693f2c89@xymon.invalid<mailto:user-cbbf693f2c89@xymon.invalid> 1 Leverrier Street Bruce ACT 2617 Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE Keep up to date with what's happening in Australian sport visit www.ausport.gov.au<http://www.ausport.gov.au>;
▸
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Betsy Schwartz
Happened to me too, on some servers we inherited. Event logs were just too dang big ! we'd need to filter at the source to not send so much, or better yet get them to not log so much (we moved on,so I didn't end up implementing this) On Wed, Oct 22, 2014 at 10:18 AM, Rebman,Scott (HHSC Contractor) <
▸
user-bcaa70f63753@xymon.invalid> wrote:
David,
Thanks you for the insight. We will try this and report on the results.
*Scott Allen Rebman*
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
*From:* David Baldwin [mailto:user-cbbf693f2c89@xymon.invalid]
*Sent:* Wednesday, October 22, 2014 2:13 AM
*To:* Rebman,Scott (HHSC Contractor); xymon at xymon.com
*Cc:* Mills,David (HHSC Contractor)
*Subject:* Re: [Xymon] Hobbit Server Overload Due To Windows Event Logs
Scott,
I have the following in my /etc/xymon/client-local.cfg file to try to kill
the event logs completely - note that the client has to report successfuly
to pull this from the server. If that fails, you can paste directly into
C:\Program Files (x86)\BBWin\tmp\clientlocal.cfg
[win32]
log:eventlog_security:10240
ignore .*
ignore .
eventlog:security:10240
ignore handle
ignore .*
ignore .
eventlog:System:10240
ignore .*
ignore .
eventlog:application:10240
ignore .*
ignore .
eventlog:directory service:10240
ignore .*
ignore .
eventlog:dfs replication:10240
ignore .*
ignore .
eventlog:windows powershell:10240
ignore .*
ignore .
I process all my Windows servers event logs on a central syslog server
forwarded by SNARE using a custom test.
David.
We are at xymon version 4.3.3 and bbwin is at 0.13.
*Scott Allen Rebman*
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
*From:* Rebman,Scott (HHSC Contractor)
*Sent:* Tuesday, October 21, 2014 12:22 PM
*To:* xymon at xymon.com
*Cc:* Mills,David (HHSC Contractor)
*Subject:* Hobbit Server Overload Due To Windows Event Logs
We’re trying to completely shut down all Windows event logs being sent
from the clients to the Xymon server. We experimented and only seemed able
to achieve this by deleting the:
<load name="msgs" value="msgs.dll"/>
line and the entire “<msgs> …</msgs>” stanza from the local BBWin.cfg. We
thought we had a recipe for success on the rest of our Windows clients but
when we started trying to make it work on two other boxes, we found that
the “procs” and “timediff” tests went purple!
We experimented by putting parts of the <msgs> … stanza back in but we
found that (apparently) the client data was not making it back to the
server from the client after the mods. So – we got it working on our test
box, but on two other “live” boxes it failed and interfered with other
tests.
This is a hot item for us since our Hobbit server is being overwhelmed by
incoming data, in large part coming from these huge Windows event logs.
Thanks!
*Scott Allen Rebman*
Solaris System Administrator
HHS/HHSC/Contractor
TIERS Operations
(512)873-6864 (CrossPark)
(512)275-6122 (cell)
user-bcaa70f63753@xymon.invalid
--
David Baldwin - Senior Systems Administrator (Datacentres + Networks)
Information and Communication Technology Services
Australian Sports Commission http://ausport.gov.au
Tel 02 62147266 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
user-cbbf693f2c89@xymon.invalid 1 Leverrier Street Bruce ACT 2617
Our Values: RESPECT + INTEGRITY + TEAMWORK + EXCELLENCE
Keep up to date with what's happening in Australian sport visit
www.ausport.gov.au
▸
This message is intended for the addressee named and may contain
confidential and privileged information. If you are not the intended
recipient please note that any form of distribution, copying or use of this
communication or the information in it is strictly prohibited and may be
unlawful. If you receive this message in error, please delete it and notify
the sender.