Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them so i get about 8 entries every second from all 189 hosts.
page=Wintel LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. � 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
The ignore you are using is meant for alerting purposses, not for ignoring the logs itself. I'm also looking for a solution for this matter. Haven't found one yet.
Currently the only option I see is to disable the event logs on the windows server itself. But that's not really an option is it. :-)
Regards, Jef Jagers Systems Engineer Thomson CompuMark
Thomson Reuters
T +32 3 220 76 02
-----Original Message----- From: DKDeckert at Hormel.com [mailto:DKDeckert at Hormel.com] Sent: dinsdag, juli 14, 2009 15:19 To: hobbit at hswn.dk Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them so i get about 8 entries every second from all 189 hosts.
page=Wintel LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
I found you can use the client-local.cfg file....but im not really sure it will work or not. The man pages werent much help on this issue that is for sure.
:(
From: <jef.jagers at thomsonreuters.com>
To: <hobbit at hswn.dk>
Date: 07/14/2009 08:32 AM
Subject: RE: [hobbit] windows logs
The ignore you are using is meant for alerting purposses, not for ignoring the logs itself. I'm also looking for a solution for this matter. Haven't found one yet.
Currently the only option I see is to disable the event logs on the windows server itself. But that's not really an option is it. :-)
Regards, Jef Jagers Systems Engineer Thomson CompuMark
Thomson Reuters
T +32 3 220 76 02
-----Original Message----- From: DKDeckert at Hormel.com [?mailto:DKDeckert at Hormel.com] Sent: dinsdag, juli 14, 2009 15:19 To: hobbit at hswn.dk Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them so i get about 8 entries every second from all 189 hosts.
page=Wintel LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
Hi all, I have several printers that aren't configured with a hostname. They just have IP address. I could create a hostname for them, in the /etc/hosts file, but in the bb-hosts file I use: COMMENT:"Xerox 425 Production"
Which looks nice on the web, but when a notice is sent out, it only shows the IP address. how do I modify the email notifications to include the COMMENT tag?
or is there another way of doing it?
----- Original Message ----- From: DKDeckert at Hormel.com To: hobbit at hswn.dk Sent: Tuesday, July 14, 2009 10:18:39 AM GMT -05:00 US/Canada Eastern Subject: RE: [hobbit] windows logs
I found you can use the client-local.cfg file....but im not really sure it will work or not. The man pages werent much help on this issue that is for sure.
:(
From: <jef.jagers at thomsonreuters.com>
To: <hobbit at hswn.dk>
Date: 07/14/2009 08:32 AM
Subject: RE: [hobbit] windows logs
The ignore you are using is meant for alerting purposses, not for ignoring the logs itself. I'm also looking for a solution for this matter. Haven't found one yet.
Currently the only option I see is to disable the event logs on the windows server itself. But that's not really an option is it. :-)
Regards, Jef Jagers Systems Engineer Thomson CompuMark
Thomson Reuters
T +32 3 220 76 02
-----Original Message----- From: DKDeckert at Hormel.com [?mailto:DKDeckert at Hormel.com] Sent: dinsdag, juli 14, 2009 15:19 To: hobbit at hswn.dk Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them so i get about 8 entries every second from all 189 hosts.
page=Wintel LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. § 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
-- William Ottley Systems Administrator CMI Canada 115 Idema Road Markham ON, L3R 1A9 Phone: 905.752.2100 x342 Direct: 905.754.4825 Fax: 905.475.7061
This message is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If the reader of this is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify me immediately by return email and delete this message from your system. Thank you.
We monitor the windows event logs and have built an ignore list over time. But we mostly use the BBNT client and not the BBWIN client. We ran into a few challenges that we couldn't easily overcome when we first attempted to switch to the BBWIN client - we couldn't send test results for a different hostname, etc.
We have to use the BBWIN client for our Windows Server 2008 machines, so I do have a few setup if you want to compare notes?
I may get stoned by the community for suggesting this, but I would suggest trying the BBNT client as we don't have any of these types of eventlog issues with it.
Otherwise, I'd be happy to match/compare our BBWIN.cfg with you.
-----Original Message----- From: DKDeckert at Hormel.com [mailto:DKDeckert at Hormel.com] Sent: Tuesday, July 14, 2009 9:19 AM To: hobbit at hswn.dk Subject: [hobbit] windows logs
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
Its reading all the sucessful logins as well as the failures and logs them so i get about 8 entries every second from all 189 hosts.
page=Wintel LOG %.* %.*sucess.* IGNORE
this is what i tried to do to ignore them..
Has anyone ran into this issue before?
Thanks everyone...
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. ? 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
The problem i am having is that i have completley wiped out the [win32] entries we have in client-local.cfg on xymons side. It shouldnt even be reporting logs to xymon because xymon isnt looking for them(if it is working correctly).
It will show the critical events that happen plus show the full log. We want it to ignore all events and not even record them but it still is.....
shouldnt the end all end all lie with client-local.cfg. If i wipe the entries for log monitoring it should in a sense stop looking for thoes logs, but xymon still registers them and saves them in the histlogs directory .....(which i might add is getting about 10% larger every 40 mins)..
EXAMPLE
No entries in eventlog_system
No entries in eventlog_security
No entries in eventlog_application
Full log eventlog_system
Full log eventlog_security
success - 2009/07/14 10:52:48 - Security (538) - User Logoff: User Name: DKroken Domain: HFC Logon ID: (0x0,0xBD3817) Logon Type: 3
success - 2009/07/14 10:52:48 - Security (540) - Successful Network Logon: User Name: DKroken Domain: HFC Logon ID: (0x0,0xBD3817)
Logon Type: 3 Logon Process: CISCO Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: CISCO Logon
GUID: - Caller User Name: CONNETACS$ Caller Domain: HFC Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1904 Transited Services: -
Source Network Address: - Source Port: -
it is logging all the success but we have them ignored in hobbit-clients.cfg
CLASS=win32 MEMPHYS 90 101 MEMSWAP 90 95 MEMACT 90 97 LOAD 90 95 DISK * 90 95 LOG %.* %.*warning.* COLOR=yellow IGNORE=%(printer|Perflib|PerfNet| success|redirector|CPU Utilization Management) LOG %.* %.*error.* COLOR=red IGNORE=%(printer|Perflib|PerfNet| success|JOTS-STORAGE)
I just thought of something as i looked at this......because it is a class in bb-hosts do all of the clients need to have the class win32 after it. But if that was the case than why would it be monitoring logs if it wasent classified as such for client-local.cfg
HELP !!!!!
Notice: This communication is an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. � 2510. Its disclosure is strictly limited to the recipient(s) intended by the sender of this message. This transmission and any attachments may contain proprietary, confidential, attorney-client privileged information and/or attorney work product. If you are not the intended recipient, any disclosure, copying, distribution, reliance on, or use of any of the information contained herein is STRICTLY PROHIBITED. Please destroy the original transmission and its attachments without reading or saving in any matter and confirm by return email.
DKDeckert at Hormel.com wrote:
Hi everyone,
Does anyone monitor windows system logs? When we installed the bbwin client on the machine it started to just crazily send messages to xymon. The harddrive for xymon went from 20% to 98% in one night. I tried to ignore logs but it still takes them in...
I also did extensive fiddling with client-side filtering options and even dived into the BBWIN source but have given up for now. We are enabling Failure Auditing on a number of servers, and some also have Success Audit, which makes the reported messages just enormous without being able to filter them on the client. In some cases I couldn't fit under even MAXMSG_CLIENT="15242880" and who knows how big I would have needed to make it!
We are now deploying SNARE to forward event logs via syslog, then using syslog-ng to split by incoming IP address, and I'm yet to modify the bb-msgs.pl or similar to do the monitoring. The logs come through well delimited into the eventlog fields, so should be very easy to filter and report on. SNARE: http://www.intersectalliance.com/projects/SnareWindows/index.html
BBNT is less than perfect with event logs. Many messages omit important sections of the error, just showing "" instead. It is also a pain to have to set up all the ignore strings on the local clients, and without regexp patterns filtering is very primitive.
David.
-- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 david.baldwin at ausport.gov.au Leverrier Street Bruce ACT 2617
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
I spent 2 whole days putting in filters and ignores but it was well WORTH IT...
All of the junk is filtered out of our servers and only relevent warnings and errors are logged...
participants (6)
-
david.baldwin@ausport.gov.au
-
DKDeckert@Hormel.com
-
hballinger@heritage-healthcare.com
-
jef.jagers@thomsonreuters.com
-
MFisher@hra.com
-
wottley@stjosephcontent.com