[THIN] Re: Sifting thru the data
- From: "Rick Mack" <ulrich.mack@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Sun, 20 Jul 2008 20:01:20 +1000
Hi Doug,
I did this a few years ago for a cutomer having severe disconnection
problems which ended up being due to a slightly bent Cisco router.
I used dumpel (Windows resource kit) to seive through the eventlogs to get
all the logon disconnection/connection data and dump it as a csv file. Then
there was a batch file with a for loop that cleaned things up so it ccould
be imported into Excel and graphed.
The idea was to combine all the logs, sort on data so you could see the
distribution of disconnections, on a server, time and user basis.
That should let you narrow down on the cause of the problem.
This is the stuff I had in my notes:
Events extracted from event logs.
Security
Security
Logon/logoff
682
Session reconnected
Security
Security
Logon/logoff
683
Session disconnected
System
TermService
None
9007
Autoclient reconnect
System
TermService
None
9006
Autoclient failed (cookie)
The following 2 command lines were used to extract these events in comma
delimited format from the security and system logs on the farm servers.
For /f %i in ('qfarm /load ^| find /I "tml"') do dumpel –s
*\\%i*<file://%25i/>–l security –m security –e 682 683 –c >>
farm_seclog.txt
For /f %i in ('qfarm /load ^| find /I "tml"') do dumpel –s
*\\%i*<file://%25i/>–l system –m termservice –e 9007 –c >>
farm_syslog.txt
The stuff we extracted were things like:
Top Ten Affected Users
User
WS Type
IP Address
ICA client build
Disconnects
cdraper
PC
10.1.2.162
90
charris
WT
10.1.4.174
931
100
dmorris *
PC
10.1.2.163
21825
250
gbousgas
PC
10.1.1.162
1050
137
jelder
PC
10.1.1.169
21825
156
kdoyle
PC
10.1.2.168
21825
117
mmckavanagh
PC
10.1.2.163
115
mparry
PC
10.1.1.167
75
scarter
PC
10.1.2.170
21825
235
tpratt
PC
10.1.2.165
21825
125
We also did a disconnections by site and disconnections by server frequency.
As stated earlier, it turned out to be a router at head office. To find that
took someone doing network packet capture between a server and one of the
most heavily affected users.
regards,
Rick
On 7/18/08, Stratton, Doug ISMC:EX <Doug.M.Stratton@xxxxxxxxx> wrote:
>
> We are in the process of trying to look thru our W2K3 Security logs to
> identify how many times clients are connecting/dropping/reconnecting again.
>
> It seems like mountains of data and I was just wondering if there is a
> simple solution to gathering this data.
>
> The sort of thing I would like something like:
>
> UserA
> Date - logon
> Date - logoff (or other such thing, drop/disconnect…)
>
> UserB
> ….
>
> We are going thru this exercise because we have clients who are reporting
> drops and we want to get a better picture of how bad this is.
>
> Any scripts out there or tools that can do this would be greatly
> appreciated.
>
> Regards,
> *Doug Stratton*, Shared Service BC
> Service Desk Email:* 77000@xxxxxxxxx*
> Service Desk Tel:* (250)387-7000*
>
>
>
--
Ulrich Mack
Quest Software
Provision Networks Division
Other related posts:
