windows logs
list Derek Deckert
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin
client on the machine it started to just crazily send messages to xymon.
The harddrive for xymon went from 20% to 98% in one night. I tried to
ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them
so i get about 8 entries every second from all 189 hosts.
page=Wintel
LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. � 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
list Jef Jagers
The ignore you are using is meant for alerting purposses, not for ignoring the logs itself. I'm also looking for a solution for this matter. Haven't found one yet. Currently the only option I see is to disable the event logs on the windows server itself. But that's not really an option is it. :-) Regards, Jef Jagers Systems Engineer Thomson CompuMark Thomson Reuters T +32 3 220 76 02
▸
-----Original Message-----
From: user-7cb470a0e94e@xymon.invalid [mailto:user-7cb470a0e94e@xymon.invalid]
Sent: dinsdag, juli 14, 2009 15:19
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin
client on the machine it started to just crazily send messages to xymon.
The harddrive for xymon went from 20% to 98% in one night. I tried to
ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them
so i get about 8 entries every second from all 189 hosts.
page=Wintel
LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
list Derek Deckert
I found you can use the client-local.cfg file....but im not really sure it will work or not. The man pages werent much help on this issue that is for sure. :(
▸
From: <user-a78daed26301@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Date: 07/14/2009 08:32 AM
Subject: RE: [hobbit] windows logs
The ignore you are using is meant for alerting purposses, not for ignoring
the logs itself.
I'm also looking for a solution for this matter. Haven't found one yet.
Currently the only option I see is to disable the event logs on the windows
server itself. But that's not really an option is it. :-)
Regards,
Jef Jagers
Systems Engineer
Thomson CompuMark
Thomson Reuters
T +32 3 220 76 02
-----Original Message-----
From: user-7cb470a0e94e@xymon.invalid [?mailto:user-7cb470a0e94e@xymon.invalid]
Sent: dinsdag, juli 14, 2009 15:19
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin
client on the machine it started to just crazily send messages to xymon.
The harddrive for xymon went from 20% to 98% in one night. I tried to
ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them
so i get about 8 entries every second from all 189 hosts.
page=Wintel
LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice:
This communication is an electronic communication within the meaning of the
Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is
strictly limited to the recipient(s) intended by the sender of this
message. This transmission and any attachments may contain proprietary,
confidential, attorney-client privileged information and/or attorney work
product. If you are not the intended recipient, any disclosure, copying,
distribution, reliance on, or use of any of the information contained
herein is STRICTLY PROHIBITED. Please destroy the original transmission
and its attachments without reading or saving in any matter and confirm by
return email.
Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
list William Ottley
Hi all, I have several printers that aren't configured with a hostname. They just have IP address. I could create a hostname for them, in the /etc/hosts file, but in the bb-hosts file I use: COMMENT:"Xerox 425 Production" Which looks nice on the web, but when a notice is sent out, it only shows the IP address. how do I modify the email notifications to include the COMMENT tag? or is there another way of doing it?
▸
----- Original Message -----
From: user-7cb470a0e94e@xymon.invalid
To: user-ae9b8668bcde@xymon.invalid
Sent: Tuesday, July 14, 2009 10:18:39 AM GMT -05:00 US/Canada Eastern
Subject: RE: [hobbit] windows logs
I found you can use the client-local.cfg file....but im not really sure it
will work or not. The man pages werent much help on this issue that is for
sure.
:(
▸
From: <user-a78daed26301@xymon.invalid>
To: <user-ae9b8668bcde@xymon.invalid>
Date: 07/14/2009 08:32 AM
Subject: RE: [hobbit] windows logs
The ignore you are using is meant for alerting purposses, not for ignoring
the logs itself.
I'm also looking for a solution for this matter. Haven't found one yet.
Currently the only option I see is to disable the event logs on the windows
server itself. But that's not really an option is it. :-)
Regards,
Jef Jagers
Systems Engineer
Thomson CompuMark
Thomson Reuters
T +32 3 220 76 02
-----Original Message-----
From: user-7cb470a0e94e@xymon.invalid [?mailto:user-7cb470a0e94e@xymon.invalid]
Sent: dinsdag, juli 14, 2009 15:19
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin
client on the machine it started to just crazily send messages to xymon.
The harddrive for xymon went from 20% to 98% in one night. I tried to
ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them
so i get about 8 entries every second from all 189 hosts.
page=Wintel
LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice:
This communication is an electronic communication within the meaning of the
Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is
strictly limited to the recipient(s) intended by the sender of this
message. This transmission and any attachments may contain proprietary,
confidential, attorney-client privileged information and/or attorney work
product. If you are not the intended recipient, any disclosure, copying,
distribution, reliance on, or use of any of the information contained
herein is STRICTLY PROHIBITED. Please destroy the original transmission
and its attachments without reading or saving in any matter and confirm by
return email.
Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
--
William Ottley
Systems Administrator
CMI Canada
XXX Idema Road
Markham ON, L3R 1A9
Phone: XXX.XXX.XXXX x342
Direct: XXX.XXX.XXXX
Fax: XXX.XXX.XXXX
This message is intended only for the use of the individual or entity
to which it is addressed, and may contain information that is
privileged, confidential and/or exempt from disclosure under
applicable law. If the reader of this is not the intended recipient,
or the employee or agent responsible for delivering the message to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by return email and delete this message from your system.
Thank you.
list Harold J. Ballinger
We monitor the windows event logs and have built an ignore list over time. But we mostly use the BBNT client and not the BBWIN client. We ran into a few challenges that we couldn't easily overcome when we first attempted to switch to the BBWIN client - we couldn't send test results for a different hostname, etc. We have to use the BBWIN client for our Windows Server 2008 machines, so I do have a few setup if you want to compare notes? I may get stoned by the community for suggesting this, but I would suggest trying the BBNT client as we don't have any of these types of eventlog issues with it. Otherwise, I'd be happy to match/compare our BBWIN.cfg with you.
▸
-----Original Message-----
From: user-7cb470a0e94e@xymon.invalid [mailto:user-7cb470a0e94e@xymon.invalid]
Sent: Tuesday, July 14, 2009 9:19 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin
client on the machine it started to just crazily send messages to xymon.
The harddrive for xymon went from 20% to 98% in one night. I tried to
ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them
so i get about 8 entries every second from all 189 hosts.
page=Wintel
LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. ? 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
list Derek Deckert
The problem i am having is that i have completley wiped out the [win32]
entries we have in client-local.cfg on xymons side. It shouldnt even be
reporting logs to xymon because xymon isnt looking for them(if it is
working correctly).
It will show the critical events that happen plus show the full log. We
want it to ignore all events and not even record them but it still is.....
shouldnt the end all end all lie with client-local.cfg. If i wipe the
entries for log monitoring it should in a sense stop looking for thoes
logs, but xymon still registers them and saves them in the histlogs
directory .....(which i might add is getting about 10% larger every 40
mins)..
EXAMPLE
No entries in eventlog_system
No entries in eventlog_security
No entries in eventlog_application
Full log eventlog_system
Full log eventlog_security
success - 2009/07/14 10:52:48 - Security (538) - User Logoff: User Name: DKroken Domain: HFC Logon ID: (0x0,0xBD3817) Logon Type: 3
success - 2009/07/14 10:52:48 - Security (540) - Successful Network Logon: User Name: DKroken Domain: HFC Logon ID: (0x0,0xBD3817)
Logon Type: 3 Logon Process: CISCO Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: CISCO Logon
GUID: - Caller User Name: CONNETACS$ Caller Domain: HFC Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1904 Transited Services: -
Source Network Address: - Source Port: -
it is logging all the success but we have them ignored in
hobbit-clients.cfg
CLASS=win32
MEMPHYS 90 101
MEMSWAP 90 95
MEMACT 90 97
LOAD 90 95
DISK * 90 95
LOG %.* %.*warning.* COLOR=yellow IGNORE=%(printer|Perflib|PerfNet|
success|redirector|CPU Utilization Management)
LOG %.* %.*error.* COLOR=red IGNORE=%(printer|Perflib|PerfNet|
success|JOTS-STORAGE)
I just thought of something as i user-80158a2adc73@xymon.invalid it is a class
in bb-hosts do all of the clients need to have the class win32 after it.
But if that was the case than why would it be monitoring logs if it wasent
classified as such for client-local.cfg
HELP !!!!!
▸
Notice:
This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. � 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
list David Baldwin
▸
user-7cb470a0e94e@xymon.invalid wrote:
Hi everyone, Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
I also did extensive fiddling with client-side filtering options and even dived into the BBWIN source but have given up for now. We are enabling Failure Auditing on a number of servers, and some also have Success Audit, which makes the reported messages just enormous without being able to filter them on the client. In some cases I couldn't fit under even MAXMSG_CLIENT="15242880" and who knows how big I would have needed to make it! We are now deploying SNARE to forward event logs via syslog, then using syslog-ng to split by incoming IP address, and I'm yet to modify the bb-msgs.pl or similar to do the monitoring. The logs come through well delimited into the eventlog fields, so should be very easy to filter and report on. SNARE: http://www.intersectalliance.com/projects/SnareWindows/index.html BBNT is less than perfect with event logs. Many messages omit important sections of the error, just showing "" instead. It is also a pain to have to set up all the ignore strings on the local clients, and without regexp patterns filtering is very primitive. David. -- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Michael S. Fisher
I spent 2 whole days putting in filters and ignores but it was well WORTH IT... All of the junk is filtered out of our servers and only relevent warnings and errors are logged...