LogAnalysis
[logs] Getting Windows logs through WMI Jan 16 2008 05:40AM
Vincent Bernat (bernat luffy cx) (2 replies)
Re: [logs] Getting Windows logs through WMI Jan 16 2008 12:05PM
Paul Melson (pmelson gmail com) (1 replies)
Re: [logs] Getting Windows logs through WMI Jan 16 2008 01:39PM
Vincent Bernat (bernat luffy cx) (1 replies)

On Wed, 16 Jan 2008 07:05:38 -0500, "Paul Melson" <pmelson (at) gmail (dot) com [email concealed]>
wrote:
> On Jan 16, 2008 12:40 AM, Vincent Bernat <bernat (at) luffy (dot) cx [email concealed]> wrote:
> [...]
>> However, it seems that there is a major drawback to using WMI: when the
>> event log file is 100 MB large, the WMI call timeout whatever the
>> request is. I mean, you may ask for log trail 45722 or for 100 last log
>> trails or 100 first log trails, the WMI call takes too much time and
>> timeout.
> [...]
>> For some large organization, a 100 MB large file is quite common (and
>> filled in a hour, so we cannot ask them to use smaller size). Do you
>> know of any workaround to this limitation?
>
> I've not run across this issue before. Can you tell me more about the
> environment? The version of Windows Server, the hardware of the
> server(s), etc. ?

Hi Paul,

Thanks for your quick reply. I have only tested with Windows 2000 Server
with different hardware configuration (from Quad-PIII 1 GHz with 1G RAM to
PIV 3 GHz with 2G). Since there is no difference, I try most of my tests
with virtual machine on my desktop computer (PIV 2.6 GHz, 2 G RAM, virtual
machine gets 256 MB or RAM).

> Also, what log file are you trying to retrieve? And what does your
> WQL query look like? (i.e. "Select * from Win32_NTLogEvent Where
> Logfile = 'Security'")

I use requests like "Select * from Win32_NTLogEvent where
LogFile='application' and RecordNumber > 1542". However, I get the same
error with requests like "Select * from Win32_NTLogEvent where
RecordNumber=1542". To test, I use this script that fills the Application
log:

8<---------------------------
Set objShell = Wscript.CreateObject("Wscript.Shell")
i=0
do while 100 > i
objShell.LogEvent 0, "Test 1 - fgsdjkfhjkghjskgjfkjghfdkjghkfjdghjkdfhg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgfg
jkghfdgh kjghdghfkhg jkhdgfkjdgfg jkghfdgh kjghdghfkhg jkhdgfkjdgf"
loop
8<---------------------------

Following your suggestion, I do the same test on Windows 2003 Server.
Simple requests like RecordNumber < 5 are immediate and more complex one
like > 5 take some time but succeed. Therefore, it seems I hit a limitation
with Windows 2000. Well, I hope that its market share will decrease fastly.

> And finally, if you're doing this currently with VBScript, have you
> thought about changing languages? I know that in general timeouts for
> objWMI/GetObject in VBScript are an issue. Seems to me that if you
> were to write your handler in, say C#, that you would be able to
> increase the connection timeout to whatever you wanted.

I am using Python from a Linux machine, using the recent WMI binding from
Samba project. This is quite experimental but work perfectly with
normal-sized logfiles. I can set the timeout and I use wbemTimeoutInfinite.
I think this has nothing to do with the implementation, since the server
answers back wit RPC_S_CALL_FAILED error after about 30 seconds. But I
cannot be sure, of course. I will try to find some C# code to test simple
requests. Maybe the timeout is server side too.

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
RE: [logs] Getting Windows logs through WMI Jan 16 2008 02:34PM
Paul Melson (pmelson gmail com)
RE [logs] Getting Windows logs through WMI Jan 16 2008 10:11AM
david bigot devoteam com (1 replies)
Re: RE [logs] Getting Windows logs through WMI Jan 16 2008 06:51PM
Vincent Bernat (bernat luffy cx)


 

Privacy Statement
Copyright 2010, SecurityFocus