Search

Windows

General discussion

Gravatar
Locked

Event Log getting filled up

By philip.hong ·
I support a large environment which is divided into 4 domains with about 120 BDCs (NT 4) and 5000 NT 4 workstations in each domain. The PDCs are still NT 3.51 (Please don't ask me why we're still running NT 3.51 on PDCs.)
We want to keep at least 7days worth of events in the system event logs on the PDCs but they continuously get filled up with event 5711 (partial synchronization).
We have increased the system event log size to 70MB and still we are only able capture 4 to 5 days worth of events in 2 domains.
I've done a little research and found that most of this traffic is generated by secure channel password changes.
My manaager is reluctant to disable this feature. My only option, then, is to increase the system event log size toperhaps 100MB caputre a week's worth of data.
Does anyone know of any negative implications of making the event log so large? Or, I'd greatly appreciate any other suggestions on getting a handle on this matter. Thanks.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

Event Log getting filled up

by KaiserSose In reply to Event Log getting filled ...

The only problem with leaving the event log size to be a large size is that they take up disk space on the NT boot drive. As long as you've enough free space there this is not a problem.
You could save the event logs to a *.txt file on a regular basis so you can clear them while still having a record of them.
Rgrds
The Man with the Plan

gravatar
Collapse -

Event Log getting filled up

by philip.hong In reply to Event Log getting filled ...

Poster rated this answer

gravatar
Collapse -

Event Log getting filled up

by mcclenbw In reply to Event Log getting filled ...

Here's a better idea. I use a freeware utility called EventSave(URL below)to archive my eventlogs every day. It archive logs by month, and if run more than once a month, it appends the new events to the existing monthly log file.

The archives can then be re-loaded into the Event Viewer at anytime.

http://www.heysoft.de/nt/eventlog/ep-es.htm

gravatar
Collapse -

Event Log getting filled up

by philip.hong In reply to Event Log getting filled ...

Poster rated this answer

gravatar
Collapse -

Event Log getting filled up

by NTOz In reply to Event Log getting filled ...

By todays standards, a 100 megabyte file is actulay pretty small. There shouldnt be any issues with making the file as large as you need it to accomidate what your trying to capture. I would suggest though you take a look at what your capturing accross the board because some things your capturing might not serve your needs overall and would be a waste to capture anyway. You can also then weekly dump your event logs to text and use a tool like pkzip to compress the logs as text files compress toa very small fraction of what they are in full. You could set your log files to over write after seven days and write a very easy batch file that runs weekly to dump the event files to where ever you want and at the same time, zip them into archives. The only tools you would need is the resouce kit and pkware's command line zip utility that is free.

Pete

gravatar
Collapse -

Event Log getting filled up

by NTOz In reply to Event Log getting filled ...

Forgot to mention you can change the default of where event files are logged through registry.

See:

How to Change the Default Event Viewer Log File Location [Q216169]

gravatar
Collapse -

Event Log getting filled up

by NTOz In reply to Event Log getting filled ...

How to Move the Event Logs to Another Location [Q175386]

Also the maximum size of an event log is 4 Gigabytes. The event logging process uses the same JET database structure as DHCP, WINS and is a close cousin of other database structures like Exchange Server. The Microsoft JET database structure has been around for a long time and is pretty reliable and should have no concern for a 100, 200, 500 megabyte size, remember there are enviroments much larger than yours that have files many times larger then yours. Microsoft as a company had only a handful of domains before they moved to active directory. Think about how large their event files must have been. Third party tools are fine, but you really do have everything you need already and native to NT.

Pete

gravatar
Collapse -

Event Log getting filled up

by philip.hong In reply to Event Log getting filled ...

Poster rated this answer

gravatar
Collapse -

Event Log getting filled up

by philip.hong In reply to Event Log getting filled ...

This question was closed by the author

Back to Windows Forum
9 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums