|
|
|
date: Thu, 1 May 2008 06:45:01 -0700,
group: microsoft.public.win32.programmer.wmi
back
Large WMI notification query may cause a quota violation
Hi,
I am querying the Security Event log for all events, and the event log is
128MB in size. I am writing every event to a text file as it is being read
from the Security event viewer. I am getting the following error on my
Windows Server 2003 sp2 machine:
Line: 181
Char: 2
Error: 0x8004106C
Code: 8004106C
Source: (null)
I saw KB 828653 "Large WMI notification query may cause a quota violation",
but found that since I had sp2 installed the properties for the Esscli.dll
file on this server vs. that listed in the KB article 828653, the server
version is newer. The server version of Esscli.dll is: version 5.2.3790.3959
(Srv03_Sp2_rtm.070216-1710). I called Microsoft on this and they told me
that the hotfix didn't apply and that I'd have to pay $259 to get help with
this.
I can't justify that cost given the error is exactly what should have been
fixed and is known by Microsoft, so i'm left on my own. Can anyone please
help me??
The line (181) of code that is pointed to in the failure is the last line
(Next) below.
Code:
' Overwrite/create the Eventlog.txt
Set strFile = objFSO.CreateTextFile(strPath, True)
strFile.WriteLine(strLogName & "event log exported for " _
& objComputer & " on: " & Now()) & vbcrlf
'---------------------------------------------------------------------
' Connect to, and query WMI for Event Viewer
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog)
' --------------------------------------------------------------------
' Enumerate/filter event properties and write them to the Eventlog.txt
bOverNinetyDays = False
EventCount = 0
NewEventCount = 0
For Each objItem in colLoggedEvents
dtmTimeGenerated = dtmStringToDate(objItem.TimeGenerated)
If CompareDates(dtmNinetyDaysAgo, dtmTimeGenerated) < 0 Then
bOverNinetyDays = True
End If
If CompareDates(dtmYoungest, dtmTimeGenerated) > 0 Then
strFile.WriteLine("Type: " & objItem.Type)
strFile.WriteLine("Date/Time: " & dtmTimeGenerated)
strFile.WriteLine("Source: " & objItem.SourceName)
strFile.WriteLine("Event ID: " & objItem.EventCode)
strFile.WriteLine("Computer: " & objItem.ComputerName)
strFile.WriteLine("User: " & objItem.User)
strFile.WriteLine("Category: " & objItem.CategoryString)
strFile.WriteLine("Description: " & objItem.Message)
strFile.WriteLine (" ")
EventCount = EventCount + 1
End If
If EventCount >= EventLimit Then
Exit For
End If
Next
Can you please assist me with this issue?
Thanks,
Jake
date: Thu, 1 May 2008 06:45:01 -0700
author: Jake
RE: Large WMI notification query may cause a quota violation
"Jake" wrote:
> Hi,
>
> I am querying the Security Event log for all events, and the event log is
> 128MB in size. I am writing every event to a text file as it is being read
> from the Security event viewer. I am getting the following error on my
> Windows Server 2003 sp2 machine:
>
> Line: 181
> Char: 2
> Error: 0x8004106C
> Code: 8004106C
> Source: (null)
> I saw KB 828653 "Large WMI notification query may cause a quota violation",
> but found that since I had sp2 installed the properties for the Esscli.dll
> file on this server vs. that listed in the KB article 828653, the server
> version is newer. The server version of Esscli.dll is: version 5.2.3790.3959
> (Srv03_Sp2_rtm.070216-1710). I called Microsoft on this and they told me
> that the hotfix didn't apply and that I'd have to pay $259 to get help with
> this.
>
> I can't justify that cost given the error is exactly what should have been
> fixed and is known by Microsoft, so i'm left on my own. Can anyone please
> help me??
> The line (181) of code that is pointed to in the failure is the last line
> (Next) below.
> Code:
> ' Overwrite/create the Eventlog.txt
> Set strFile = objFSO.CreateTextFile(strPath, True)
> strFile.WriteLine(strLogName & "event log exported for " _
> & objComputer & " on: " & Now()) & vbcrlf
>
> '---------------------------------------------------------------------
> ' Connect to, and query WMI for Event Viewer
> Set objWMI = GetObject("winmgmts:" _
> & "{impersonationLevel=impersonate,(Security)}!\\" _
> & strComputer & "\root\cimv2")
> Set colLoggedEvents = objWMI.ExecQuery _
> ("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog)
>
> ' --------------------------------------------------------------------
> ' Enumerate/filter event properties and write them to the Eventlog.txt
> bOverNinetyDays = False
> EventCount = 0
> NewEventCount = 0
> For Each objItem in colLoggedEvents
> dtmTimeGenerated = dtmStringToDate(objItem.TimeGenerated)
>
> If CompareDates(dtmNinetyDaysAgo, dtmTimeGenerated) < 0 Then
> bOverNinetyDays = True
> End If
>
> If CompareDates(dtmYoungest, dtmTimeGenerated) > 0 Then
> strFile.WriteLine("Type: " & objItem.Type)
> strFile.WriteLine("Date/Time: " & dtmTimeGenerated)
> strFile.WriteLine("Source: " & objItem.SourceName)
> strFile.WriteLine("Event ID: " & objItem.EventCode)
> strFile.WriteLine("Computer: " & objItem.ComputerName)
> strFile.WriteLine("User: " & objItem.User)
> strFile.WriteLine("Category: " & objItem.CategoryString)
> strFile.WriteLine("Description: " & objItem.Message)
> strFile.WriteLine (" ")
> EventCount = EventCount + 1
> End If
>
> If EventCount >= EventLimit Then
> Exit For
> End If
> Next
>
> Can you please assist me with this issue?
> Thanks,
> Jake
You could try using a forward-only enumerator:
Set colLoggedEvents = objWMI.ExecQuery _
("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog, , 48)
--
urkec
date: Thu, 1 May 2008 13:10:00 -0700
author: urkec
RE: Large WMI notification query may cause a quota violation
Thanks,
But I narrowed it down to the Impersonation... for some reason the Server
(which is a DC) doesn't like the ,(Security) part of the following string:
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate,(Security)}!\\" _
& strComputer & "\root\cimv2")
So I changed it to
Set objWMI = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Which works great on every machine BUT the DCs. So now I'm still trying to
figure out how to query the Security event log on a DC.
"urkec" wrote:
> "Jake" wrote:
>
> > Hi,
> >
> > I am querying the Security Event log for all events, and the event log is
> > 128MB in size. I am writing every event to a text file as it is being read
> > from the Security event viewer. I am getting the following error on my
> > Windows Server 2003 sp2 machine:
> >
> > Line: 181
> > Char: 2
> > Error: 0x8004106C
> > Code: 8004106C
> > Source: (null)
> > I saw KB 828653 "Large WMI notification query may cause a quota violation",
> > but found that since I had sp2 installed the properties for the Esscli.dll
> > file on this server vs. that listed in the KB article 828653, the server
> > version is newer. The server version of Esscli.dll is: version 5.2.3790.3959
> > (Srv03_Sp2_rtm.070216-1710). I called Microsoft on this and they told me
> > that the hotfix didn't apply and that I'd have to pay $259 to get help with
> > this.
> >
> > I can't justify that cost given the error is exactly what should have been
> > fixed and is known by Microsoft, so i'm left on my own. Can anyone please
> > help me??
> > The line (181) of code that is pointed to in the failure is the last line
> > (Next) below.
> > Code:
> > ' Overwrite/create the Eventlog.txt
> > Set strFile = objFSO.CreateTextFile(strPath, True)
> > strFile.WriteLine(strLogName & "event log exported for " _
> > & objComputer & " on: " & Now()) & vbcrlf
> >
> > '---------------------------------------------------------------------
> > ' Connect to, and query WMI for Event Viewer
> > Set objWMI = GetObject("winmgmts:" _
> > & "{impersonationLevel=impersonate,(Security)}!\\" _
> > & strComputer & "\root\cimv2")
> > Set colLoggedEvents = objWMI.ExecQuery _
> > ("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog)
> >
> > ' --------------------------------------------------------------------
> > ' Enumerate/filter event properties and write them to the Eventlog.txt
> > bOverNinetyDays = False
> > EventCount = 0
> > NewEventCount = 0
> > For Each objItem in colLoggedEvents
> > dtmTimeGenerated = dtmStringToDate(objItem.TimeGenerated)
> >
> > If CompareDates(dtmNinetyDaysAgo, dtmTimeGenerated) < 0 Then
> > bOverNinetyDays = True
> > End If
> >
> > If CompareDates(dtmYoungest, dtmTimeGenerated) > 0 Then
> > strFile.WriteLine("Type: " & objItem.Type)
> > strFile.WriteLine("Date/Time: " & dtmTimeGenerated)
> > strFile.WriteLine("Source: " & objItem.SourceName)
> > strFile.WriteLine("Event ID: " & objItem.EventCode)
> > strFile.WriteLine("Computer: " & objItem.ComputerName)
> > strFile.WriteLine("User: " & objItem.User)
> > strFile.WriteLine("Category: " & objItem.CategoryString)
> > strFile.WriteLine("Description: " & objItem.Message)
> > strFile.WriteLine (" ")
> > EventCount = EventCount + 1
> > End If
> >
> > If EventCount >= EventLimit Then
> > Exit For
> > End If
> > Next
> >
> > Can you please assist me with this issue?
> > Thanks,
> > Jake
>
> You could try using a forward-only enumerator:
>
> Set colLoggedEvents = objWMI.ExecQuery _
> ("Select * from Win32_NTLogEvent Where Logfile = " & strEventLog, , 48)
>
>
> --
> urkec
date: Thu, 1 May 2008 16:49:00 -0700
author: Jake
|
|
