Thank you all for the input. -Doug Rooney Sonoma TileMakers IT Systems Administrator 7750 Bell Rd. Windsor Ca, 95492 (707) 837-8177 X11 (707) 837-9472 FAX it@xxxxxxxxxxxxxxxxxxxx The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack Sent: Thursday, February 23, 2006 4:45 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: System Logs... Hi, Masking event log events is generally an all or none activity with the exception of spooler events and application errors. Basically, all the event logs and event types are defined under HKLM\System\CurrentControlset\Services\Eventlog. On a normal (non DC etc) server you'll see 3 keys under the eventlog key, applications, security and system. These correspond to the 3 event logs. Under each of these subkeys you'll see keys corresponding to event sources, for example under system, we see mrxsmb: EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\netevent.dll;%SystemRoot%\System32\iologmsg.dll ParameterMessageFile REG_EXPAND_SZ %SystemRoot%\System32\kernel32.dll TypesSupported REG_DWORD 0x00000007 (7) EventMessageFile defines the source program or DLL for the events. If the DLL is absent, or is missing the appropriate MESSAGE_TABLE resources all you'll see in the event log is an error like "Couldn't enumerate resources..." I've given mrxsmb as an example because for mrxsmb you can define an extra value, REG_DWORD, MailslotDatagramThreshold that defines the maximum number of mailslot requests that can be missed per hour without generating an event. So if you create this value and give it a value between 0 and 0xffffffff you can also generate mailslot missed requests. TypesSupported looks interesting because it defines the event types or severity level that the source can generate. The default binary mask value is 0x00000007 which is the sum of Error = 0x00000001, Warning = 0x00000002 and Information = 0x00000004. Unfortunately changing this value doen't change what's reported so it's a dud as far as you're concerned. So back to my all or none comment. If you delete the appropriate key (for example StiSvc) then that event source will no longer be logged. However that means no informational messages, no warnings or errors, which might not be a terribly smart thing to do. My advice is leave things as they are, extend the size of your event logs, ALWAYS set them to overwrite as needed and restrict access. Use a filter to view the events of interest and the informational messages won't matter. If you want some more detail, there's a really good article about the event log at http://www.oreilly.com/catalog/winlog/chapter/ch02.html regards, Rick Ulrich Mack Volante Systems _____ From: thin-bounce@xxxxxxxxxxxxx on behalf of Andrew Wood Sent: Thu 23/02/2006 19:59 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: System Logs... unless its 'printing' you can set the print spooler not to log information events. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Michel Roth Sent: 23 February 2006 08:05 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: System Logs... Doug, You can only filter informational events out. I do not know of a way to prevent them being logged all together. Regards, Michel Roth www.thincomputing.net On 2/23/06, Doug Rooney <doug@xxxxxxxxxxxxxxxxxxxx> wrote: I have 3 Windows 2000 Server boxes running as terminal servers, two of them run just fine. The third one fill up the system log file about every 5 days, all of the file size limits are the same, but on the one, we get many 'information' logs, I was told I could have those not logged, but I can not figure out how, if I go to properties and de-select it, they go way then, but are back the next time I open it. Could someone please enlighten me on the way to permanently get rid of the informationals. Thank You -Doug Rooney Sonoma TileMakers IT Systems Administrator The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. _____ ############################################################################ ######### This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this e-mail has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this e-mail is prohibited. If you have received it in error please notify the sender immediately by reply e-mail and destroy all copies of this e-mail and any attachments. All liability for direct and indirect loss arising from this e-mail and any attachments is hereby disclaimed to the extent permitted by law. ############################################################################ ######### ############################################################################ ######### This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this e-mail has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this e-mail is prohibited. If you have received it in error please notify the sender immediately by reply e-mail and destroy all copies of this e-mail and any attachments. All liability for direct and indirect loss arising from this e-mail and any attachments is hereby disclaimed to the extent permitted by law. ############################################################################ #########