RE: [logs] Windows Event Log Analysis

From: Frank Heyne (
Date: Sat Jan 04 2003 - 02:42:41 PST

  • Next message: H C: "RE: [logs] Windows Event Log Analysis"

    On 3 Jan 2003, at 17:34, Buck Buchanan wrote:
    > I have both systems configured so that the event logger logs everything
    > that is sent to it.  Both systems have the logs set to overwrite.  
    IMHO, this is not a good idea.
    You should be aware what the system has to do in overwrite mode *for 
    every single event* when the log is full:
    - search the oldest event
    - check whether the new event is larger than the oldest event
    - if yes, search the second oldest event 
    - check again, until enough space for the new event is found
    - write the new event
    - write eventlog footer after new event
    - write updated information into eventlog header
    You see, lots to do, which can result in the loss of events if you log anything.
    In case you did choose the option to overwrite events after a defined 
    number of days, you might loose additional events, see
    > Rebooting the NT has "fixed" arp, but rasusers and the bash subshell still
    > are not logging process termination.
    This seems to be "normal behaviour", see
    Frank Heyne
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sat Jan 04 2003 - 10:44:29 PST