Monitor Event Logs in Realtime - Error

Discussion in 'Scripting' started by Rob, Feb 6, 2007.

  1. Rob

    Rob Guest

    I have modified the script found here

    to monitor event ID 560. This is running on a Windows 2000 Enterprise
    Server that gets a lot of entries in the security log. Eventually my script
    returns an error:
    SWbemEventSource: Event queue overflowed.

    Not much on this error online. I did find that the wbemess.log file
    contains this entry:
    (Mon Feb 05 13:30:47 2007) : The limit of 2000000 was exceeded for events
    held for consumers. The system is under extreme stress and out-of-memory
    conditions can ensue

    The server has .Net 2.0 installed, not 1.0 which apparently there may have
    been a hotfix for.

    Any ideas on how to get around this error?

    Rob, Feb 6, 2007
    1. Advertisements

  2. Rob

    Rob Guest

    Yes, actually I tried something similar. Unfortunately, the event log gets
    many events each minute, so a wait period that long would not work. I tried
    with a shorter time interval, but eventually I get the error regardless.
    Rob, Feb 7, 2007
    1. Advertisements

  3. Rob

    urkec Guest

    I just looked this up, __EventConsumer class has MaximumQueueSize property
    which is maximum queue size in bytes, but it is read only. Also, property
    HighThresholdOnEvents (UInt32) of Win32_WMISetting class is set to 2000000,
    but it is "maximum rate at which events are to be delivered". You could try
    changing that property but I don't think you get more than 20000000 events
    per second. Have you tried trapping the error with On Error Resume Next?
    urkec, Feb 9, 2007
  4. Rob

    Rob Guest

    erkec, Thanks for your reply.

    Doubtfull that we are getting that many events. We probably get up to 10
    per second (around there give or take).

    If I use On Error Resume Next, it never errors out, but it seems to process
    the same events multiple times in some circumstances. Maybe that's when it
    is normally erroring out? I don't know how to trap an error with the On
    Error Resume Next. If you can explain, I would like to try it.

    Rob, Feb 9, 2007
  5. Rob

    urkec Guest

    Could you post the script?
    urkec, Feb 11, 2007
  6. Rob

    Rob Guest

    Below is the script with a few troublshooting wscript.echo commands. It is
    my most recent and does generate the error. Thanks for your continued help.

    'on error resume next
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
    strComputer & "\root\cimv2")
    Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
    ("SELECT * FROM __InstanceCreationEvent WHERE " _
    & "TargetInstance ISA 'Win32_NTLogEvent' " _
    & "and TargetInstance.EventCode = '560' ")

    Do While True
    Set objLatestEvent = nothing
    wscript.sleep 125
    Set objLatestEvent = colMonitoredEvents.NextEvent
    EventMessage = UCase(objLatestEvent.TargetInstance.Message)
    If ((instr(EventMessage ,"READ_CONTROL")<>0) and _
    (instr(EventMessage ,".LNK")=0) and _
    (instr(EventMessage ,"FOLDER.HTT")=0)) Then
    MessageArray = Split(EventMessage, vbcrlf)
    FileArray = Split(MessageArray(6), vbtab)
    If (instr(FileArray(2),".")<>0) Then
    DomainArray = Split(MessageArray(16), vbtab)
    UserArray = Split(MessageArray(20), vbtab)
    'wscript.echo "USER: " & UCase(DomainArray(2)) & "\" & UCase(UserArray(2))
    'wscript.echo "FILE: " & UCase(FileArray(2))
    wscript.echo "USER: " & DomainArray(2) & "\" & UserArray(2)
    wscript.echo "FILE: " & FileArray(2)
    wscript.echo "FULLDATETIME: " & objLatestEvent.TargetInstance.TimeGenerated
    t_date = Left(objLatestEvent.TargetInstance.TimeGenerated, 8)
    t_hr = Mid(objLatestEvent.TargetInstance.TimeGenerated, 9, 2)
    t_mn = Mid(objLatestEvent.TargetInstance.TimeGenerated, 11, 2)
    t_sc = Mid(objLatestEvent.TargetInstance.TimeGenerated, 13, 2)
    formated_date = t_date & " " & t_hr & ":" & t_mn & ":" & t_sc
    wscript.echo "DATE: " & formated_date
    wscript.echo "0 if no .LNK in filename: " & instr(FileArray(2),".LNK")
    If InStr(FileArray(2),"H:\DOCS")<>0 Then
    Share = "DOCS"
    ElseIf InStr(FileArray(2),"G:\USERS")<>0 Then
    Share = "USERS"
    ElseIf InStr(FileArray(2),"F:\PROJECTS")<>0 Then
    Share = "PROJECTS"
    ElseIf InStr(FileArray(2),"I:\SHARED")<>0 Then
    Share = "SHARED"
    End If
    wscript.echo "SHARE: " & Share & vbcrlf
    End If
    End If
    Rob, Feb 12, 2007
  7. Rob

    urkec Guest

    I suppose you already read this KB article:

    It seems to a be a known problem with WMI event providers, so I don't think
    changing WMI settings will help you. The article refers to .NET WMI event
    provider, so even if you had that hotfix installed I don't think that would
    urkec, Feb 14, 2007
  8. Rob

    Rob Guest

    Yes, saw it. It refers to .Net 1.0. I have 2.0 installed.
    Rob, Feb 14, 2007
  9. Rob

    urkec Guest

    I don't think it matters which version of .NET framework you have installed,
    because you don't use .NET in your script, so I think you receive events from
    a different provider (I think ntevt.dll, but not sure), not from the
    System.Management.dll. You could try and check if there is an updated version
    of that provider that fixes your problem, and try to install it, but I'm not
    really sure how to do that.
    I don't know exactly what task are you trying to accomplish with your script
    (I suppose more than just echoing messages), but perhaps you shuld try to
    avoid using event notifications and find some other solution.

    Best regards. Sorry for my English.
    urkec, Feb 14, 2007
  10. Rob

    Rob Guest

    Thanks for your feedback.

    In the end we will be inserting the event records into a SQL database for
    auditing purposes.
    Rob, Feb 14, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.