paleg / eventlog-to-syslog

Automatically exported from code.google.com/p/eventlog-to-syslog
3 stars 3 forks source link

events are time-shifted on a DC #61

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?
On a Windows 2003 Domain Controller, mode Include Only or not, messages are 
time shifted and the delay gets greater and greater.As the Security log is 
dropped every 30 min more than 50% of the events are lost !
Altough, on a server member the agent works very well !

What version of the product are you using? On what operating system?
Version : 443

Please provide any additional information below.

Original issue reported on code.google.com by rudbl...@gmail.com on 2 May 2012 at 1:19

GoogleCodeExporter commented 8 years ago
Hmm, it would appear the utility is getting backed up reading and sending the 
logs. How many logs do you generate a second on average?

Original comment by sherwin....@gmail.com on 3 May 2012 at 4:43

GoogleCodeExporter commented 8 years ago
This problem appears also on a test DC which security log is dropped each 24 
hours.
In this case the delay is increasing up to more than 1 hour , between the 
generating of the event and sendind it.
The number of logs generated can be estimated  for more than 300000/day, 3-4 
per second on average

Original comment by rudbl...@gmail.com on 3 May 2012 at 7:57

GoogleCodeExporter commented 8 years ago
On the same test DC,if not filtering events at all, it looks very good , they 
are all sent in real-time ! unfortunately i need only a tiny collection of 
these events

Original comment by rudbl...@gmail.com on 3 May 2012 at 2:31

GoogleCodeExporter commented 8 years ago
Ok now it makes sense. I've used it on busier servers, but I have not had the 
opportunity to test filtering out on servers that busy. I'll take a look at 
anything that can be done to increase the efficiency there, but is there any 
way you can do the filtering on the syslog side?

Original comment by sherwin....@gmail.com on 4 May 2012 at 4:21

GoogleCodeExporter commented 8 years ago
Yes of course filtering on the syslog side is easy but i want to avoid to 
needlessy overload the network 

Original comment by rudbl...@gmail.com on 4 May 2012 at 6:55

GoogleCodeExporter commented 8 years ago

Original comment by sherwin....@gmail.com on 16 Aug 2012 at 2:11

GoogleCodeExporter commented 8 years ago
Hi,
I use several Windows Server 2003 32x, 4.4.3(32-Bit)LP, rsyslog.

I have the exact same problem (when filtered only one event 560 from 
Security-Auditing) can I hope that this will be resolved and leave my temporary 
solution on the syslog side?

Best regards
Roman
(Ukraine)

Original comment by angerN...@gmail.com on 14 Mar 2013 at 7:17

GoogleCodeExporter commented 8 years ago
Hi! same problem over here! 

Up to yesterday I was filtering 3 events resulting in one hour delay.
Yesterday I started filtering 6 events, the result today at 9am is: 16 hours 
delay! :(

So, I have rolled back configuration and start filtering again only "Security: 
538"/"Security: 540"/"Security: 680".

Today, 9am, I have 16 houres! :( Last log on my rsyslogServer/var/log/:"May  8 
17:11:04 #SERVERNAME# evtsys-#SERVERCODE#: Security: 540:"

I will try to increase the evtsys service priority through windows services but 
I do not think it work. I will test this and post here if I see any change.

Can anyone verify this???
Thanks in advance!
Germán

Original comment by german.c...@gmail.com on 9 May 2013 at 12:45

GoogleCodeExporter commented 8 years ago
nothing worked for me... and no answer...

Original comment by german.c...@gmail.com on 27 May 2013 at 12:18