#5 ignore filtering and size limiting has no effect

open
nobody
5
2010-08-18
2010-08-18
T.J. Yang
No

The ignore filtering and size limiting has no effect. I currently have
the following in /etc/hobbit/client-local.cfg - doesn't do anything useful.

[win32]
log:eventlog_security:10240
ignore .*
ignore .
msgs:eventlog_security:10240
ignore .*
ignore .
eventlog:security:10240
ignore Windows Filter
ignore handle
ignore .*
ignore .
eventlog:System:10240
ignore .*
ignore .
eventlog:application:10240
ignore .*
ignore .

I also have success and failure auditing turned on - which means the
event log reports can be very big. Too big for hobbitd to handle even
with MAXMSG_DATA set at values like 15242880 (i.e. 15MB), so I get
"flooding" client errors.

Also, the event log subsystem has changed in Vista and Server 2008.
Neither BBNT or BBWin seems to handle event log processing properly for
these.

Thanks, David.

Discussion