[wildrems]

i have a problem with my event viewer.

i've set the security log size to 4gb, and use the option to overwrite as needed.

the next day, the oldest log was from yesterday at 16h. but the size of thelog was 500mb and not 4gb.
then i set the option to overwrite event older than 7 days.
same thing happen.

my question is: why are all the log erased instead of being replaced.
i try to erase the log file, no difference.

any idea...

thanks

[cluberti]

Because there's a limitation on memory-mapped processes, drivers, and files in 32bit windows - any memory mapped process, driver, or file can only contain up to 1GB in space, no exceptions. Since the event logging .dll is running in the SharedProcess kernel address space (which is memory-mapped), the total size of all of the other things running in that SharedProcess space (services memory, desktop heap, POSIX/OS2 subsystem, etc) will add up to the other 500MB or so. By the way, the recommendation for ANY event log on the system is 100MB, especially security.

Long post short - expected behavior.

This post has been edited by cluberti: 17 May 2006 - 06:14 PM

[wildrems]

this is sad , but really helpfull.

thanks a lot.

This post has been edited by wildrems: 18 May 2006 - 08:12 AM

[cluberti]

Yeah, it is a bit sad, but it is simply an architectural limitation of the 32bit platform.

[RJARRRPCGP]

cluberti, on May 17 2006, 08:11 PM, said:

Because there's a limitation on memory-mapped processes, drivers, and files in 32bit windows - any memory mapped process, driver, or file can only contain up to 1GB in space, no exceptions. Since the event logging .dll is running in the SharedProcess kernel address space (which is memory-mapped), the total size of all of the other things running in that SharedProcess space (services memory, desktop heap, POSIX/OS2 subsystem, etc) will add up to the other 500MB or so. By the way, the recommendation for ANY event log on the system is 100MB, especially security.

Long post short - expected behavior.

Unless you're talking about how much RAM one process can consume, I don't believe there's any 1 GB limitation, unless it's Windows 9x. Windows 9x, according to Microsoft only supports 1 GB of RAM. I never heard of a 1 GB limitation with Windows NT, Windows 2000 and Windows XP until today!!

This post has been edited by RJARRRPCGP: 19 May 2006 - 03:27 PM

[Grunth0s]

I was also under the impression that since Windows NT4, all processes within the operating system are allocated 2GB of RAM, irrespective of whether that much physical or virtual memory is installed on the system.

I also can't see that a RAM restriction would impact on the size of the event logs, as they are physical log files as opposed to something that is permanently stored in memory.

[cluberti]

... and you'd both be wrong . Memory mapped files are not processes, and yes, they have a 1GB limitation. There is not a public KB article on this, but I believe if you are an MS Partner there is an article describing this.

Edit: I knew this existed. There is a technet article which backs me up on this, that is public:
http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

The salient bits for those who don't want to read the whole article:

Quote

The Event Log service uses memory-mapped files, and it runs as Eventlog.dll, one of the services under the Services.exe process. When files are loaded in this way, the entire file is loaded into system memory. All of the current versions of Windows have an architectural limitation regarding memory-mapped files: no process can have more than 1 GB of memory-mapped files in total. This means that all of the services running under the Services.exe process must share the 1-GB pool. The memory is assigned as contiguous 64-KB chunks of memory. If the system is unable to assign additional memory needed to expand memory-mapped files, problems will arise.

For the Event Log service, this means that regardless of how large the log has been configured to be, events might no longer be written to the log. Error messages will not be displayed. The events will simply not appear in the event log, or they might overwrite other events that have been recorded previously. Fragmentation of the log files in memory has also been shown to lead to significant performance problems on busy systems.

Due to these limitations — even though the theoretical limit for memory-mapped files suggests that you should be able to configure up to 1 GB for all the event logs, and you can actually specify as much as 4 GB per log — Microsoft has verified that the practical size limit for all event logs combined is around 300 megabytes (MB) on most servers. On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs — plus the Directory Service, File Replication Service, and DNS Server logs — should not exceed 300 MB.

This post has been edited by cluberti: 19 May 2006 - 04:24 PM

[Grunth0s]

Well you learn something new every day.

Many thanks Cluberti for educating me, and, now armed with this very useful information, my whole design philosophy will change!

In all honesty, I have been working with NT since 3.51, and this is the first time I have seen this, and it is very useful to know.

Thanks again.

G