Kaseya Community

Overflow detected. Too many Security event log entries

  • My event log entries read as follows:

    7:06:41 am 11-Sep-06 System Kaseya Server None 5000 N/A Overflow detected. Too many Security event log entries received from the machine in the last 90 seconds. 23 entries have been ignored. Use remote control to access the machine to view the entire event log.

    7:03:25 am 11-Sep-06 System Kaseya Agent None 5024 N/A Overflow detected. The Agent stopped collecting Success Audit events for the Security event log because more than 100 events occurred in the last 3 minutes.

    I run a daily "log checking" report for all of my managed serverst. The report sends an e-mail containing all the event log errors for the last 24 hours. The above errors occur daily on almost every server. When I look at my Security log the number of entries listed for that time frame does not match what the error is reporting. Sometimes it is relatively close, other times it way off. For example, in the case of the second error above (5024) it says more than 100 events occurred, but between 7:00:00am and 7:04:00am only 62 events occurred. On another server I checked today less than a dozen errors has actually occurred.

    This is more of a nuisance than anything else right now, but I'm afraid that an event will occur for which I have set an alert and that alert will not trigger because the event was not collected. I'm wondering if anyone else has run into this issue and what they might be doing about it.


    Legacy Forum Name: Overflow detected. Too many Security event log entries,
    Legacy Posted By Username: byulke
  • We've seen this on busy machines, such as SQL Servers and especially domain controller machines. Oddly,we don't see this on any of our Exchange Servers, though we do see it once in a while on workstations.

    We haven't done anything specifically for this, but we would also be interested in knowing if there is a sure fire explanation for the behavior other than the monitored machine is just too busy causing entries to be ignored by the agent even though they are being logged into the event logs.


    Legacy Forum Name: Server,
    Legacy Posted By Username: vplaza
  • I sent an e-mail to K support asking them about this topic. I will post the answer they give me.


    Legacy Forum Name: Server,
    Legacy Posted By Username: byulke
  • Just chiming in that we are recieving the same error. Interested to see Kaseya's reply.

    Legacy Forum Name: Server,
    Legacy Posted By Username: mcmonagle
  • K support called me yesterday about this issue.

    There is a limit imposed on the number of log entries collected by the K server of 100 per half hour. If that limit is exceeded, then it produces that error message.

    Their reasoning for this is two-fold. First is to prevent the K server from being overloaded with incoming log entries. The second is to send up a warning flag to the administrators that something is wrong. Because, really, that any log entries should not be produced in that short amount of time. For me, it seems to be a result of Symantec Antivirus giving warnings about not being able to scan within compressed files.

    I was told there is a way to modify the limit of 100 but that it is not recommended by K and they will not support that configuration. I plan on drilling down and addressing each set of errors that is triggering this message.




    Legacy Forum Name: Server,
    Legacy Posted By Username: byulke
  • The real problem here is that once the overflow occurs, collection of those events is permanently disabled and there's no one-click way of enabling it again. It would be nice if there was a way to quickly find all the machines whose log settings had been changed and put them back the way they were before the overflow occurred. Anyone know of a way to do this, other than manually scanning for red characters in the Alerts screens?

    Legacy Forum Name: Server,
    Legacy Posted By Username: David_Schrag
  • You could set up an Event Set to send you an alert when it finds the entries in either the Application or System Event logs that indicate logging has been disabled.

    That way, you know right away when logging is disabled and can act on that machine right away.


    Legacy Forum Name: Server,
    Legacy Posted By Username: vplaza
  • Yeah, I could set up an event set that generates an e-mail and/or a ticket, but I was hoping for something a little more automatic. Maybe in a future release ....

    Legacy Forum Name: Server,
    Legacy Posted By Username: David_Schrag
  • Yes, I agree. We shouldn't have to create an event set to alert us when logging is disabled since once it's disabled, we won't be getting alerts that we might think we would be getting.

    If you have hundreds of machines, it is cumbersome to look for the red letters in the Alerts area. However, it is a little quicker to see them in the Agent->Log Settings screen, since all the ones with dashes are the ones that would normally need to be re-enabled.


    Legacy Forum Name: Server,
    Legacy Posted By Username: vplaza
  • It would be nice to have the logging disabled condition expire automatically after a certain period of time. I've found a lot of times, a simple reboot is enough to overload the server with application log entries, much less if someone is having a nagging problem with entries in the event log.



    I do think coupled with an event set that it's a good motivator to solving some event log issues that you might normally brush off or not notice. However, it's frustrating when it's informational event records doing the overloading that you can't really stop.


    Legacy Forum Name: Server,
    Legacy Posted By Username: mgengenbach
  • We get the same error for some machines. In all three posts about Overflow detected I did not see someone mention what follows next. Maybe something for Kaseya to check for. Errors are

    Description: Overflow detected. The Agent stopped collecting Information events for the System event log because more than 100 events occurred in the last 3 minutes.

    Description: Overflow detected. Too many System event log entries received from the machine in the last 60 seconds. 14 entries have been ignored. Use remote control to access the machine to view the entire event log.

    Allthough we have set to report only on errors in a log the Kaseya agent counts all events. It's not counting the events which Kaseya is monitoring, in our case only errors. IMO the Kaseya agent should only count the selected type of events for monitoring and report likewise.


    Legacy Forum Name: Server,
    Legacy Posted By Username: joosan
  • We get the same error for some machines. In all three posts about Overflow detected I did not see someone mention what follows next. Maybe something for Kaseya to check for. Errors are

    Description: Overflow detected. The Agent stopped collecting Information events for the System event log because more than 100 events occurred in the last 3 minutes.

    Description: Overflow detected. Too many System event log entries received from the machine in the last 60 seconds. 14 entries have been ignored. Use remote control to access the machine to view the entire event log.

    Allthough we have set to report only on errors in a log the Kaseya agent counts all events. It's not counting the events which Kaseya is monitoring, in our case only errors. IMO the Kaseya agent should only count the selected type of events for monitoring and report likewise.


    Legacy Forum Name: Server,
    Legacy Posted By Username: joosan
  • We get the same error for some machines. In all three posts about Overflow detected I did not see someone mention what follows next. Maybe something for Kaseya to check for. Errors are

    Description: Overflow detected. The Agent stopped collecting Information events for the System event log because more than 100 events occurred in the last 3 minutes.

    Description: Overflow detected. Too many System event log entries received from the machine in the last 60 seconds. 14 entries have been ignored. Use remote control to access the machine to view the entire event log.

    Allthough we have set to report only on errors in a log the Kaseya agent counts all events. It's not counting the events which Kaseya is monitoring, in our case only errors. IMO the Kaseya agent should only count the selected type of events for monitoring and report likewise.


    Legacy Forum Name: Server,
    Legacy Posted By Username: joosan
  • I've been on the phone with Kaseya recently on the overflow issue. I have requested they review the handling of this matter. From what I've seen, it's quite common for a system to have a burst of event log entries. This occasional burst is not a sustained event log pounding. However, Kaseya disables logging after this "burst" and requires manual reinstatement of logging. They've explained that the overflow logic is there to assure the Kaseya server does not get over burdened when a one or more systems is getting an event log pounding.

    What I've requested is to make this more self healing. I've asked them to consider implementing an overflow entry limit, a reinstatement timeout, and a reinstatement limit, reinstatement limit reset. These could be implemented at the server o agent level. I'm for the agent level as it would allow for more flexibility. Here's how I see it working:

    Overflow entry limit: 100
    Reinstatement timeout: 5 minutes
    Reinstatement limit: 2 times
    Reinstatement limit reset: 1 day

    Sample #1: Quick event log burst

    11:30am: Server1 creates 150 events in the application event log.
    11:31am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
    11:36am: Kaseya automatically reinstates application event monitoring for Server1 agent (reinstatement attempt #1)

    Result: Event logging monitoring was restored after 5 minutes (reinstatement timeout) and only a few minutes of application events were missed and Kaseya server performance is still intact.

    Sample #2: Sustained writing to event log

    11:30am: Server1 creates 150 events in the application event log.
    11:31am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
    11:36am: Kaseya automatically reinstates application event monitoring for Server1 agent (reinstatement attempt #1).
    11:37am: Server1 creates 200 events in the application event log.
    11:38am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
    11:43am: Kaseya automatically reinstates application event monitoring for Server1 agent (reinstatement attempt #2).
    11:44am: Server1 creates 150 events in the application event log.
    11:45am: Kaseya disables application event monitoring for Server1 agent (overflow entry limit has been exceeded).
    11:45am: Kaseya permanently disables application event log monitoring and reports that logged has been disabled due to overflow (reinstatement limit exceeded)

    Result: Event logging monitoring could not be restored due to sustained event log entries being created. Logging has been permanently disabled and Kaseya server performance is still intact.


    Anyone else think this is a better way and would save them some grief?

    Matt



    Legacy Forum Name: Server,
    Legacy Posted By Username: connectex
  • David_Schrag wrote:
    The real problem here is that once the overflow occurs, collection of those events is permanently disabled and there's no one-click way of enabling it again. It would be nice if there was a way to quickly find all the machines whose log settings had been changed and put them back the way they were before the overflow occurred. Anyone know of a way to do this, other than manually scanning for red characters in the Alerts screens?



    I go to Agent/Log Setting and check the ones that are not logging anymore and click the update. I know its not the fix but quicker then going to all the alerts screens.


    Legacy Forum Name: Server,
    Legacy Posted By Username: jasonp