Configuring Agent Logs
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
On This Page
Recommended Log File Settings
Manually Adjusting Settings for Windows Event Logs
Automating Changes to Log File Settings Using the Configure Event Logs Tool
Command-Line Syntax
Usage Examples
Monitoring Log File Setting Issues
MOM reads events that are collected in the Windows event log files. Additionally, some management packs might read data from other log files. Agent log files, especially the Windows event log files, fill up and stop logging events under the following conditions:
The maximum log file size that is set is too small.
The log file is configured to keep events for a specified amount of time. New events cannot overwrite old events if the log file fills up.
The log file is configured to be cleared manually, instead of overwriting events automatically if the log file fills up.
If the log files fill up, then MOM cannot continue to monitor the events until the log files are cleared. Ensure that the Windows event log files are appropriately configured to optimize MOM’s use of these logs. Configure other log files, as needed.
You can configure log files either before or after installing the agent. You can configure the log files manually or automatically by using the Configure Event Logs tool. The checklists for installing agents prompt you to configure agent logs after the agent is installed.
Recommended Log File Settings
For the Windows event logs, increase the maximum log size from the default of 512 KB to at least 10 MB. Adjust this value depending on the role of the server and the available disk space. Set the log size to greater than 10 MB under the following circumstances:
Auditing is enabled. Auditing can significantly increase the amount of data that MOM writes to the event log.
An enterprise application that generates a high volume of data is installed on the server, such as Microsoft Internet Security and Acceleration Server or Microsoft Commerce Server.
The server is a domain controller.
The available disk space on a server is high.
Finally, when you configure Windows event logs, choose Overwrite events as needed. If the log file fills up, this option allows the log file to continue logging new events. When the log is full, each new event replaces the oldest event.
Apply similar settings to other logs that are used by Management Packs, as needed.
Manually Adjusting Settings for Windows Event Logs
Manually adjust settings by using Event Viewer.
To modify settings for Windows event logs
On the Start menu, point to Programs, point to Administrative Tools, and then click Event Viewer.
Right-click the event log you want to modify settings for, and then click Properties.
Modify the settings, and then click OK.
Automating Changes to Log File Settings Using the Configure Event Logs Tool
You can automate the process of configuring agent logs by using the Configure Event Logs tool (ConfigureEventLogs.wfs). This tool is located in the Microsoft Operations Manager Resource Kit. This tool performs the following configuration changes to logs:
It modifies the size of the log according to a value you provide.
It configures the log file to overwrite events as needed.
You must indicate:
Which log to configure, such as the event log or the application log. Run this tool once for each log.
Which computers to target.
The Configure Event Logs tool obtains computer names from the MOM WMI object, allowing you to target agent computers that have already been installed. Specify computers using one of the following methods:
Specify all agent computers within a configuration group.
Specify all agent computers within a computer group.
Import a text file list of computer names.
The server that you run this tool from must have access to all target computers.
Command-Line Syntax
This section details the command-line options that can be used with the Configure Event Logs tool.
ConfigureEventLogs /eventlog:Event_log_name /size:size {/server:DCAM_server
[/group:computer_group] | /file:file_name_or_path} [/preserve:{true, false}]
Table 6.2 Command-Line Options for the Configure Event Logs Tool
Option |
Description |
|---|---|
/eventlog: log |
Specifies the name of the log file to reconfigure. Specify only one log file. Enter the name that is used by the LogFileName property of the Win32_NTEventlogFile class (for example, AppEvent.evt or SecEvent.evt). |
/size: size |
Specifies the size, in megabytes, to which to reset the log file. |
/server: DCAM_server |
Specifies the name or IP address of one of the DCAMs in the configuration group. It does not matter which DCAM is specified, as long as the DCAM has access to the database for the configuration group. If this option is not used, you must specify computers by using the /file option. |
/group: computer_group_name |
Specifies the computer group to obtain computer names from. This option is not required. If you use this option, you must also use the server option. If the computer group name includes spaces, place quotation marks around the name. This command-line option applies log configuration changes to all agents within the computer group. Use this option to target configuration changes for computers that have specific roles within your organization. For example, AD controllers require larger log sizes than other servers. |
/file: file_name_or_path |
Reads a text file list of computer names. Use quotation marks if the file name or path contains spaces. This option applies log configuration changes to all agents listed in the text file. By reading a text file, you can apply configuration changes to log files before you install the agent on the computer. If the server argument is not used, you must specify a file argument. Use the following guidelines:
You can use the ManualMC.txt file with this tool. |
[/preserve:{true, false}] |
Use this option to either ensure that you do not decrease the size of the log file or to overwrite the previous log file size. Use one of the following switches:
|
Usage Examples
This section includes examples of command-line syntax for performing configuration changes on agent log files. These syntax examples also run the console-based script interpreter along with the Configure Event Logs tool.
Basic usage examples
To configure the Windows application log file, use the following syntax. This example applies the configuration changes to all agents within a configuration group.
cscript.exe ConfigureEventLogs.wsf /eventlog:Application /size:10 /server:DCAM_server
Use the following syntax to configure the Windows event log file on Active Directory controllers to 30 MB.
cscript.exe ConfigureEventLogs.wsf /eventlog:Application /size:30 /server:DCAM_server /group:"Windows 2000 Domain Controllers"
Use the following syntax to read a text file list of computers and set the Application event log size to 10 MB.
cscript.exe ConfigureEventLogs.wsf /eventlog:Application /size:10 /file:allDCs.txt"
Monitoring Log File Setting Issues
After you configure the log, watch for events indicating that the log size is too small and adjust the size of the log accordingly. For example, the Application log writes event 6000, which indicates that the Application log file is full. Additionally, MOM generates the following events, which indicate that events in the logs might be lost:
Event 25013 —The event log wrapped. This error occurs when the provider is inactive for a period of time in which more events are logged than the event log can contain. Events are probably lost. If you continue to receive this event, increase the size of the log.
Event 25012 —The log appears to have been cleared since it was last read. The Windows NT Event Log Provider might lose events whenever an event log is cleared.