Hi! I wanted to share something cool I figured out and implemented in my environment recently. Hopefully this can help others.

Recently, a bunch of my servers have been hit with an issue where Windows's cbs.log file becomes too large to be compacted (over 2GB) by Windows. This really becomes an issue because Windows fills up c:\windows\temp with a bunch of files ~100mb in size called "cab_1111-1" with different numbers, twice a day. These files are supposed to be compacted as a maintenance job in Windows. This doesn't happen due to size of the log file. I just removed 2200 files, around 50GB of these files, from one server.

I wrote a procedure to run a powershell script, read the output, then check for the word "Alert" from the script output, then add a Windows log event. I use the Kaseya Views DB to use SQL to filter all managed machines for this Windows event, export to csv, send to someone to create follow up tickets to check on this.

A bit confusing. Here's how it works:

Powershell script (Since it's a one-liner, this will be used as Powershell Arguments/Commands in Kaseya procedure):

if ((Get-ChildItem -Path C:\Windows\Temp | where {$_.name -match 'cab_*_[1-7]'} | where-object {$_.Length -gt 70MB}).count -ge 8) {    write-host 'Alarm - Excess cabs!'}


Kaseya:

ExecutePowershellCommand32bitSystem("", "if ((Get-ChildItem -Path C:\Windows\Temp | where {$_.name -match 'cab_*_[1-7]'} | where-object {$_.Length -gt 70MB}).count -ge 8) {    write-host 'Alarm - Excess cabs!'     }", true (save #global:psresult#),all OS...)

//Or, "if - More than 8 files matching the filename and over 70MB in size, write out 'Alarm'", then check with checkVar.

if checkvar("#global:psresult#) Contains "Alarm"

CreateEventLogEntry("Excessive CAB warning", "Warning", "System"...)

Run the procedure. Wait 5 minutes, or however long it takes for Kaseya to collect logs and insert them into the logging DB.

Open something to query your Kaseya Views DB. I use Heidi because it has a super light footprint compared to SQL studio.

Here is the query I run:

select l.machine_groupid, m.ipAddress, l.eventid, l.eventtime, l.eventmessage

from vnteventlog as l
cross join vmachine as m

where l.eventid = '607' /* kaseya script event ID */
and l.eventmessage like '%excessive CAB%'    /* Does a wildcard search for all events with this in the event message field */
and l.agentguid = m.agentguid      /*Allows cross join to work. I like having the IP available so I can just type it into RDP without searching for the machine in kaseya */

order by l.eventtime desc

I've automated this query in a Bash script on my linux box to run once a week and send an updated list of affected computers until we figure out a permanent solution. I could script automatic remediation, but I want to know which machines have problems and get hands on them to find anomalies. I'm sure you could do it a bunch of other ways. I found all affected machines in a 300 server environment in about 25 seconds. I sent the report of machines off to our office admin to create tickets to have the machines looked at.

No more 8kb/500gb free space issues!