Re: eventlog performance


Interesting Wolfgang.

I believe that a much higher load would be needed in order
to really stress the logging process. Filesystem access logging
is however probably the most likely to cause issues as this does
load the I/O subsystem doubly hard.

My own feeling is that if dropping of events were an issue, then
there surely would have been some noise about this. In fact, this
post is the first time I have ever seen the potential even discussed.

Roger

<jwgoerlich@xxxxxxxxx> wrote in message
news:1174910493.795161.173670@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Roger Abell [MVP] wrote:
I see where you are coming from Kevin, and it sounds like a
valid potential. All I have to say is that I have never heard
of anyone reporting "lost" events due to loading.


Will Windows' logging miss events under high load situations? I
thought about this and performed the following test:

I created a test folder on a Windows 2003 server. On the NTFS folder,
I set full permissions and set an SACL that records any failure.
Within the folder, I created three test files. I set explicit
permissions such that I could read but not modify the files. I then
created a CIFS share wherein I had full access.

On this same server, I created an Example user and set the password. I
made sure the Example user was a member of the same groups as I, and
that it had the same permissions to the shared files.

I used four Windows clients. On the first three, I ran a script that
opened the test file and attempted to write data. Each client had its
own test file and I modified the script accordingly. This script was
"testwrite.vbs" and I have listed it below. It attempts to write 1000
times.

On the forth Windows client, I ran a script that attempts to map a
network drive to the Server using the Example user's credentials. I
put in the wrong password, thus in part simulating a brute-force
password attack.

Back on the Windows server, I cleared the security log. I then
executed all four scripts simultaneously. This generates some 5,000
events in a couple of minutes. Would the Windows server drop any of
these events?

I validated the number of events using the testresults.vbs script.
This counts the events by Event ID and gives a report. There were
3,000 failed file access events. There were 2 bad password events,
followed by 998 account locked out events, with a total of 1,000
failed logon messages. All 5,000 events were captured.

I ran this test several times and never saw an event drop. I am
including the scripts below so that you can test this in your own
environment.

Regards,

J Wolfgang Goerlich

--------------------------------------------------------------------------------
' testwrite.vbs

On Error Resume Next

' Constants

Const ForWriting = 2
Const UncTestPath = "\\Server\Testshare"
Const MapTestFile = "testfile1.txt" ' Client 1 uses Test 1, Client 2
uses Test 2, etc


' Dimension Variables

Dim oLog ' Log text file
Dim oNet ' Network
Dim oNTFS ' File System


' Instantiate the objects

Set oNet = CreateObject("WScript.Network")
Set oNTFS = CreateObject("Scripting.FileSystemObject")


For X = 1 to 1000

' Map a network drive

oNet.RemoveNetworkDrive "X:"
oNet.MapNetworkDrive "X:", UncTestPath


' Open the file

Set oLog = oNTFS.OpenTextFile("X:\" & MapTestFile, ForWriting, True)
oLog.WriteLine "Depending on this file's ACL, this write will
generate an error." + VbCrlf


' Done, clean up

oLog.Close
Set oLog = Nothing
oNet.RemoveNetworkDrive "X:"

Next

MsgBox "Done!"

--------------------------------------------------------------------------------
' testlogin.vbs

On Error Resume Next

' Constants

Const ForWriting = 2
Const UncTestPath = "\\Server\Testshare"
Const Username = "Server\Example"
Const Password = "NoSecretNow"

' Dimension Variables

Dim oNet ' Network

' Instantiate the objects

Set oNet = CreateObject("WScript.Network")
Set oNTFS = CreateObject("Scripting.FileSystemObject")


For X = 1 to 1000

' Map a network drive

' Using the wrong password will throw:
' Error: Logon failure: unknown user name or bad password.
' Code: 8007052E
' Source: WSHNetwork.MapNetworkDrive

oNet.MapNetworkDrive "X:", UncTestPath, , Username, Password
oNet.RemoveNetworkDrive "X:"

Next

MsgBox "Done!"

--------------------------------------------------------------------------------
' testresults.vbs

Const Computer = "."
Const FailedFileAccess = 560
Const FailedLogon = 680
Const AccountLockedOut = 539
Const BadPassword = 529

' Event Type: Failure Audit
' Event Source: Security
' Event Category: Object Access
' Event ID: 560
' Description:
' Object Open:
' Object Server: Security
' Object Type: File

' Event Type: Failure Audit
' Event Source: Security
' Event Category: Account Logon
' Event ID: 680
' Description:
' Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

' Event Type: Failure Audit
' Event Source: Security
' Event Category: Logon/Logoff
' Event ID: 539
' Description:
' Logon Failure:
' Reason: Account locked out

' Event Type: Failure Audit
' Event Source: Security
' Event Category: Logon/Logoff
' Event ID: 529
' Description:
' Logon Failure:
' Reason: Unknown user name or bad password

FailedFileAccessCount = 0
FailedLogonCount = 0
AcountLockedOutCount = 0
BadPasswordCount = 0

Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate,
(Security)}!\\" & Computer & "\root\cimv2")
Set oEvents= oWMI.ExecQuery("Select * from Win32_NTLogEvent Where
Logfile = 'Security'",,48)

On Error Resume Next
For Each oRecord in oEvents

Select Case oRecord.EventIdentifier
Case FailedFileAccess
FailedFileAccessCount = FailedFileAccessCount + 1

Case FailedLogon
FailedLogonCount = FailedLogonCount +1

Case AccountLockedOut
AcountLockedOutCount = AcountLockedOutCount + 1

Case BadPassword
BadPasswordCount = BadPasswordCount + 1

Case Else

End Select

Next

Results = _
"Failed File Access (" & FailedFileAccess &") = " _
& FailedFileAccessCount & Vbcrlf & _
"Failed Logon (" & FailedLogon & ") = " _
& FailedLogonCount & Vbcrlf & _
"Account Locked Out (" & AccountLockedOut & ") = " _
& AcountLockedOutCount & Vbcrlf & _
"Bad Password (" & BadPassword & ") = " _
& BadPasswordCount

MsgBox Results

--------------------------------------------------------------------------------



.

Quantcast