We've seen this on busy machines, such as SQL Servers and especially domain controller machines. Oddly,we don't see this on any of our Exchange Servers, though we do see it once in a while on workstations.

We haven't done anything specifically for this, but we would also be interested in knowing if there is a sure fire explanation for the behavior other than the monitored machine is just too busy causing entries to be ignored by the agent even though they are being logged into the event logs.


Legacy Forum Name: Server,
Legacy Posted By Username: vplaza

I sent an e-mail to K support asking them about this topic. I will post the answer they give me.


Legacy Forum Name: Server,
Legacy Posted By Username: byulke

Just chiming in that we are recieving the same error. Interested to see Kaseya's reply.

Legacy Forum Name: Server,
Legacy Posted By Username: mcmonagle

K support called me yesterday about this issue.

There is a limit imposed on the number of log entries collected by the K server of 100 per half hour. If that limit is exceeded, then it produces that error message.

Their reasoning for this is two-fold. First is to prevent the K server from being overloaded with incoming log entries. The second is to send up a warning flag to the administrators that something is wrong. Because, really, that any log entries should not be produced in that short amount of time. For me, it seems to be a result of Symantec Antivirus giving warnings about not being able to scan within compressed files.

I was told there is a way to modify the limit of 100 but that it is not recommended by K and they will not support that configuration. I plan on drilling down and addressing each set of errors that is triggering this message.




Legacy Forum Name: Server,
Legacy Posted By Username: byulke

The real problem here is that once the overflow occurs, collection of those events is permanently disabled and there's no one-click way of enabling it again. It would be nice if there was a way to quickly find all the machines whose log settings had been changed and put them back the way they were before the overflow occurred. Anyone know of a way to do this, other than manually scanning for red characters in the Alerts screens?

Legacy Forum Name: Server,
Legacy Posted By Username: David_Schrag

You could set up an Event Set to send you an alert when it finds the entries in either the Application or System Event logs that indicate logging has been disabled.

That way, you know right away when logging is disabled and can act on that machine right away.


Legacy Forum Name: Server,
Legacy Posted By Username: vplaza

Yeah, I could set up an event set that generates an e-mail and/or a ticket, but I was hoping for something a little more automatic. Maybe in a future release ....

Legacy Forum Name: Server,
Legacy Posted By Username: David_Schrag

Yes, I agree. We shouldn't have to create an event set to alert us when logging is disabled since once it's disabled, we won't be getting alerts that we might think we would be getting.

If you have hundreds of machines, it is cumbersome to look for the red letters in the Alerts area. However, it is a little quicker to see them in the Agent->Log Settings screen, since all the ones with dashes are the ones that would normally need to be re-enabled.


Legacy Forum Name: Server,
Legacy Posted By Username: vplaza

It would be nice to have the logging disabled condition expire automatically after a certain period of time. I've found a lot of times, a simple reboot is enough to overload the server with application log entries, much less if someone is having a nagging problem with entries in the event log.



I do think coupled with an event set that it's a good motivator to solving some event log issues that you might normally brush off or not notice. However, it's frustrating when it's informational event records doing the overloading that you can't really stop.


Legacy Forum Name: Server,
Legacy Posted By Username: mgengenbach

We get the same error for some machines. In all three posts about Overflow detected I did not see someone mention what follows next. Maybe something for Kaseya to check for. Errors are

Description: Overflow detected. The Agent stopped collecting Information events for the System event log because more than 100 events occurred in the last 3 minutes.

Description: Overflow detected. Too many System event log entries received from the machine in the last 60 seconds. 14 entries have been ignored. Use remote control to access the machine to view the entire event log.

Allthough we have set to report only on errors in a log the Kaseya agent counts all events. It's not counting the events which Kaseya is monitoring, in our case only errors. IMO the Kaseya agent should only count the selected type of events for monitoring and report likewise.


Legacy Forum Name: Server,
Legacy Posted By Username: joosan

We get the same error for some machines. In all three posts about Overflow detected I did not see someone mention what follows next. Maybe something for Kaseya to check for. Errors are

Description: Overflow detected. The Agent stopped collecting Information events for the System event log because more than 100 events occurred in the last 3 minutes.

Description: Overflow detected. Too many System event log entries received from the machine in the last 60 seconds. 14 entries have been ignored. Use remote control to access the machine to view the entire event log.

Allthough we have set to report only on errors in a log the Kaseya agent counts all events. It's not counting the events which Kaseya is monitoring, in our case only errors. IMO the Kaseya agent should only count the selected type of events for monitoring and report likewise.


Legacy Forum Name: Server,
Legacy Posted By Username: joosan

We get the same error for some machines. In all three posts about Overflow detected I did not see someone mention what follows next. Maybe something for Kaseya to check for. Errors are

Description: Overflow detected. The Agent stopped collecting Information events for the System event log because more than 100 events occurred in the last 3 minutes.

Description: Overflow detected. Too many System event log entries received from the machine in the last 60 seconds. 14 entries have been ignored. Use remote control to access the machine to view the entire event log.

Allthough we have set to report only on errors in a log the Kaseya agent counts all events. It's not counting the events which Kaseya is monitoring, in our case only errors. IMO the Kaseya agent should only count the selected type of events for monitoring and report likewise.


Legacy Forum Name: Server,
Legacy Posted By Username: joosan

I've been on the phone with Kaseya recently on the overflow issue. I have requested they review the handling of this matter. From what I've seen, it's quite common for a system to have a burst of event log entries. This occasional burst is not a sustained event log pounding. However, Kaseya disables logging after this "burst" and requires manual reinstatement of logging. They've explained that the overflow logic is there to assure the Kaseya server does not get over burdened when a one or more systems is getting an event log pounding.

What I've requested is to make this more self healing. I've asked them to consider implementing an overflow entry limit, a reinstatement timeout, and a reinstatement limit, reinstatement limit reset. These could be implemented at the server o agent level. I'm for the agent level as it would allow for more flexibility. Here's how I see it working:

Overflow entry limit: 100
Reinstatement timeout: 5 minutes
Reinstatement limit: 2 times
Reinstatement limit reset: 1 day

Sample #1: Quick event log burst

11:30am: Server1 creates 150 events in the application event log.
11:31am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
11:36am: Kaseya automatically reinstates application event monitoring for Server1 agent (reinstatement attempt #1)

Result: Event logging monitoring was restored after 5 minutes (reinstatement timeout) and only a few minutes of application events were missed and Kaseya server performance is still intact.

Sample #2: Sustained writing to event log

11:30am: Server1 creates 150 events in the application event log.
11:31am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
11:36am: Kaseya automatically reinstates application event monitoring for Server1 agent (reinstatement attempt #1).
11:37am: Server1 creates 200 events in the application event log.
11:38am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
11:43am: Kaseya automatically reinstates application event monitoring for Server1 agent (reinstatement attempt #2).
11:44am: Server1 creates 150 events in the application event log.
11:45am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
11:45am: Kaseya permanently disables application event log monitoring and reports that logged has been disabled due to overflow (reinstatement limit exceeded)

Result: Event logging monitoring could not be restored due to sustained event log entries being created. Logging has been permanently disabled and Kaseya server performance is still intact.


Anyone else think this is a better way and would save them some grief?

Matt



Legacy Forum Name: Server,
Legacy Posted By Username: connectex

David_Schrag wrote:

The real problem here is that once the overflow occurs, collection of those events is permanently disabled and there's no one-click way of enabling it again. It would be nice if there was a way to quickly find all the machines whose log settings had been changed and put them back the way they were before the overflow occurred. Anyone know of a way to do this, other than manually scanning for red characters in the Alerts screens?

I go to Agent/Log Setting and check the ones that are not logging anymore and click the update. I know its not the fix but quicker then going to all the alerts screens.


Legacy Forum Name: Server,
Legacy Posted By Username: jasonp