Jump to content

event viewer

wildrems
 Share

Recommended Posts

wildrems

wildrems

Posted
Posted

i have a problem with my event viewer.

i've set the security log size to 4gb, and use the option to overwrite as needed.

the next day, the oldest log was from yesterday at 16h. but the size of thelog was 500mb and not 4gb.

then i set the option to overwrite event older than 7 days.

same thing happen.

my question is: why are all the log erased instead of being replaced.

i try to erase the log file, no difference.

any idea...

thanks


cluberti

cluberti

Posted
Posted (edited)

Because there's a limitation on memory-mapped processes, drivers, and files in 32bit windows - any memory mapped process, driver, or file can only contain up to 1GB in space, no exceptions. Since the event logging .dll is running in the SharedProcess kernel address space (which is memory-mapped), the total size of all of the other things running in that SharedProcess space (services memory, desktop heap, POSIX/OS2 subsystem, etc) will add up to the other 500MB or so. By the way, the recommendation for ANY event log on the system is 100MB, especially security.

Long post short - expected behavior.

Edited by cluberti
RJARRRPCGP

RJARRRPCGP

Posted
Posted (edited)
Because there's a limitation on memory-mapped processes, drivers, and files in 32bit windows - any memory mapped process, driver, or file can only contain up to 1GB in space, no exceptions. Since the event logging .dll is running in the SharedProcess kernel address space (which is memory-mapped), the total size of all of the other things running in that SharedProcess space (services memory, desktop heap, POSIX/OS2 subsystem, etc) will add up to the other 500MB or so. By the way, the recommendation for ANY event log on the system is 100MB, especially security.

Long post short - expected behavior.

Unless you're talking about how much RAM one process can consume, I don't believe there's any 1 GB limitation, unless it's Windows 9x. Windows 9x, according to Microsoft only supports 1 GB of RAM. I never heard of a 1 GB limitation with Windows NT, Windows 2000 and Windows XP until today!!

Edited by RJARRRPCGP
Grunth0s

Grunth0s

Posted
Posted

I was also under the impression that since Windows NT4, all processes within the operating system are allocated 2GB of RAM, irrespective of whether that much physical or virtual memory is installed on the system.

I also can't see that a RAM restriction would impact on the size of the event logs, as they are physical log files as opposed to something that is permanently stored in memory.

cluberti

cluberti

Posted
Posted (edited)

... and you'd both be wrong :). Memory mapped files are not processes, and yes, they have a 1GB limitation. There is not a public KB article on this, but I believe if you are an MS Partner there is an article describing this.

Edit: I knew this existed. There is a technet article which backs me up on this, that is public:

http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

The salient bits for those who don't want to read the whole article:

The Event Log service uses memory-mapped files, and it runs as Eventlog.dll, one of the services under the Services.exe process. When files are loaded in this way, the entire file is loaded into system memory. All of the current versions of Windows have an architectural limitation regarding memory-mapped files: no process can have more than 1 GB of memory-mapped files in total. This means that all of the services running under the Services.exe process must share the 1-GB pool. The memory is assigned as contiguous 64-KB chunks of memory. If the system is unable to assign additional memory needed to expand memory-mapped files, problems will arise.

For the Event Log service, this means that regardless of how large the log has been configured to be, events might no longer be written to the log. Error messages will not be displayed. The events will simply not appear in the event log, or they might overwrite other events that have been recorded previously. Fragmentation of the log files in memory has also been shown to lead to significant performance problems on busy systems.

Due to these limitations — even though the theoretical limit for memory-mapped files suggests that you should be able to configure up to 1 GB for all the event logs, and you can actually specify as much as 4 GB per log — Microsoft has verified that the practical size limit for all event logs combined is around 300 megabytes (MB) on most servers. On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs — plus the Directory Service, File Replication Service, and DNS Server logs — should not exceed 300 MB.

Edited by cluberti
Grunth0s

Grunth0s

Posted
Posted

Well you learn something new every day.

Many thanks Cluberti for educating me, and, now armed with this very useful information, my whole design philosophy will change!

In all honesty, I have been working with NT since 3.51, and this is the first time I have seen this, and it is very useful to know.

Thanks again.

G

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...