views:

481

answers:

5

I am using Powershell PSeventing plugin but have had no luck so far finding an event that triggers when an event log is full. I am looking everywhere MSDN .net events I know it has to do with maximum event log size but I can't find that trigger and I'm not sure how to get PSeventing to make thing happen. Can anyone help me. Thank in advance.

+1  A: 

My first thought would be to use a FileSystemWatcher and monitor the file size. I'm not finding any other option, other than monitoring the System event log (I think an event gets written there when a log is full and an attempt to write fails), but that won't work if the log you are concerned about is the system event log.

Steven Murawski
A: 

I wonder if there is an associated WMI event that you could register a sink for. If I get time I'll look for one.

Ok, so here is what I have found so far. There is a __EventQueueOverflowEvent event sink available. I suspect that this might work for you. There is also the __SystemEvent that also might be useful.

EBGreen
Thanks for the event Oisin but I am now looking into Traping an Exception in Powershell when the log is full before it overwrites. I think the exceptions is called "log is full" but I am not sure and I don't know that much about Trap and Throw it is said to be poorly documented but I am on the trail
+1  A: 

There is a particular event that occurs in the application or system eventlogs when they are considered "full" (according to the OverflowAction configured):

http://www.eventid.net/display.asp?eventid=6000&eventno=291&source=EventLog&phase=1

You should watch for events using the WmiEventWatcher for this event (eventid 6000, error) in particular, just like you would watch for any other event.

-Oisin (author of pseventing)

x0n
Is there a different event for the security log "Event log is full?
If the log is set to over write is there an eventid 6000?
A: 

Thanks for the event Oisin but I am now looking into Traping an Exception in Powershell when the log is full before it overwrites. I think the exceptions is called "log is full" but I am not sure and I don't know that much about Trap and Throw it is said to be poorly documented but I am on the trail.

A: 

One way is to use Microsoft System Center or MOM to monitor for event ID 523. I believe a patch needs to be applied to the servers that will register a full log event. Check the Microsoft Web Site. Ours triggers at 90%, I believe you can set the percentage where you want it to trigger.

You can also probably do this with WMI or Powershell, but it would have to be run frequently to catch changes. A simple DIR for the event log will give you the size, if you know the upper limit you can calculate the % full. This could be automated in VB or C#.