Monitor Event Logs in Realtime - Error

I have modified the script found here
http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/lgevvb17.mspx

to monitor event ID 560. This is running on a Windows 2000 Enterprise
Server that gets a lot of entries in the security log. Eventually my script
returns an error:
SWbemEventSource: Event queue overflowed.

Not much on this error online. I did find that the wbemess.log file
contains this entry:
(Mon Feb 05 13:30:47 2007) : The limit of 2000000 was exceeded for events
held for consumers. The system is under extreme stress and out-of-memory
conditions can ensue

The server has .Net 2.0 installed, not 1.0 which apparently there may have
been a hotfix for.

Any ideas on how to get around this error?

Thanks.

 

Yes, actually I tried something similar. Unfortunately, the event log gets
many events each minute, so a wait period that long would not work. I tried
with a shorter time interval, but eventually I get the error regardless.

 

I just looked this up, __EventConsumer class has MaximumQueueSize property
which is maximum queue size in bytes, but it is read only. Also, property
HighThresholdOnEvents (UInt32) of Win32_WMISetting class is set to 2000000,
but it is "maximum rate at which events are to be delivered". You could try
changing that property but I don't think you get more than 20000000 events
per second. Have you tried trapping the error with On Error Resume Next?

 

erkec, Thanks for your reply.

Doubtfull that we are getting that many events. We probably get up to 10
per second (around there give or take).

If I use On Error Resume Next, it never errors out, but it seems to process
the same events multiple times in some circumstances. Maybe that's when it
is normally erroring out? I don't know how to trap an error with the On
Error Resume Next. If you can explain, I would like to try it.

Thanks.

 

Could you post the script?

 

Below is the script with a few troublshooting wscript.echo commands. It is
my most recent and does generate the error. Thanks for your continued help.

'on error resume next
strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("SELECT * FROM __InstanceCreationEvent WHERE " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '560' ")

Do While True
Set objLatestEvent = nothing
wscript.sleep 125
Set objLatestEvent = colMonitoredEvents.NextEvent
EventMessage = UCase(objLatestEvent.TargetInstance.Message)
If ((instr(EventMessage ,"READ_CONTROL")<>0) and _
(instr(EventMessage ,".LNK")=0) and _
(instr(EventMessage ,"FOLDER.HTT")=0)) Then
MessageArray = Split(EventMessage, vbcrlf)
FileArray = Split(MessageArray(6), vbtab)
If (instr(FileArray(2),".")<>0) Then
DomainArray = Split(MessageArray(16), vbtab)
UserArray = Split(MessageArray(20), vbtab)
'wscript.echo "USER: " & UCase(DomainArray(2)) & "\" & UCase(UserArray(2))
'wscript.echo "FILE: " & UCase(FileArray(2))
wscript.echo "USER: " & DomainArray(2) & "\" & UserArray(2)
wscript.echo "FILE: " & FileArray(2)
wscript.echo "FULLDATETIME: " & objLatestEvent.TargetInstance.TimeGenerated
t_date = Left(objLatestEvent.TargetInstance.TimeGenerated, 8)
t_hr = Mid(objLatestEvent.TargetInstance.TimeGenerated, 9, 2)
t_mn = Mid(objLatestEvent.TargetInstance.TimeGenerated, 11, 2)
t_sc = Mid(objLatestEvent.TargetInstance.TimeGenerated, 13, 2)
formated_date = t_date & " " & t_hr & ":" & t_mn & ":" & t_sc
wscript.echo "DATE: " & formated_date
wscript.echo "0 if no .LNK in filename: " & instr(FileArray(2),".LNK")
If InStr(FileArray(2),"H:\DOCS")<>0 Then
Share = "DOCS"
ElseIf InStr(FileArray(2),"G:\USERS")<>0 Then
Share = "USERS"
ElseIf InStr(FileArray(2),"F:\PROJECTS")<>0 Then
Share = "PROJECTS"
ElseIf InStr(FileArray(2),"I:\SHARED")<>0 Then
Share = "SHARED"
End If
wscript.echo "SHARE: " & Share & vbcrlf
End If
End If
Loop

 

I suppose you already read this KB article:

http://support.microsoft.com/default.aspx/kb/329283

It seems to a be a known problem with WMI event providers, so I don't think
changing WMI settings will help you. The article refers to .NET WMI event
provider, so even if you had that hotfix installed I don't think that would
help.

 

Yes, saw it. It refers to .Net 1.0. I have 2.0 installed.

 

I don't think it matters which version of .NET framework you have installed,
because you don't use .NET in your script, so I think you receive events from
a different provider (I think ntevt.dll, but not sure), not from the
System.Management.dll. You could try and check if there is an updated version
of that provider that fixes your problem, and try to install it, but I'm not
really sure how to do that.
I don't know exactly what task are you trying to accomplish with your script
(I suppose more than just echoing messages), but perhaps you shuld try to
avoid using event notifications and find some other solution.

Best regards. Sorry for my English.

 

Thanks for your feedback.

In the end we will be inserting the event records into a SQL database for
auditing purposes.