Article created 2003-05-09 by Tamsila-Q-Siddique.
Reporting Log Truncation
This step-by-step guide was inspired by a customer question. The customer had a need to record all events seen in the event logs. But due to the overall setup, a lot of event log truncated messages occured. These, too, should be forwarded, but only one in a row (there occured multiple of such event quickly after each other, uselessly filling up the central log). This scenario also serves as a good sample on how to report only the first instance of frequently reoccuring events while reporting all of the rest. In this example we assume that all messages should be forward via syslog to the central syslog server at 10.0.0.1. We use the default format for forwarding. Please replace this with whatever actions you desire.
In order to achieve this goal, we have to use filter conditions. Whenever a log is truncated Event ID 1011 is registered in Windows Event Log by Configuration Program. Keep in mind that an Event ID alone is not meaningful, so we need to complement it with the Source and the Log part to make it unique. The filter process will now basically work as follows (for details see steps below):
- Rule 1: Finds the 1011 event and makes sure it is only reported once within a given period.
- Rule 2: Discards all 1011 events (the first one will have been forwarded by rule 1, all consequive ones will simply be discarded – just as required by the scenario)
- Rule 3: Processes all other message (event 1011 will never arrive here, because it was discarded in rule 2)
Obviously, Rule 3 can be many rules, as many as you like. Rule 1 and 2 can be iterated if you have more than a single event to be treated that way.
1. Once Configuration Program is opened, create a new service i.e. Event Log Monitor.
2. Add a new Ruleset. We name it as Reporting Log Truncation Rule.
3. Add a new rule named as Log Truncation.
4. Click on the Filter Conditions of Log Truncation. Now start applying filters, in the end your filter condition will look like as in the screen-shot shown below. To prevent this rule from firing too often we would enable “Minimum Wait Time”. This will make sure that the “log truncation” events are only forwarded once within a specified period.
5. Now create a new action as “Forward via Syslog” and configure it according to your settings e.g. Syslog Server has been configured to 10.0.0.1.
6. Don’t forget to bind your ruleset i.e. Reporting Log Truncation Rule to the service i.e. Event Log Monitor.
1. Add a new Rule named as “Discard”.
2. Click on the Filter Condition and set the filter as described in step 4 but with out enabling Minimum Wait Time. It should look like as follow:
3. Now we define an action as called as “Discard”. This Discard action will make you to get rid of all those events after its been forwarded as Syslog.
1. Add a new Rule named as “Forward Syslog”.
2. Leave the Filter Condition as it is i.e. no filters are specified. By default this apply to the rule as whole.
3. Now define a new action as “Forward via Syslog”. And set the configurations according to your settings e.g. Syslog Server has been configured to 10.0.0.1 as in First Rule.
Once done with the rules, don’t forget to restart your Configuration Program!