We have a test running in Hostmonitor version 8.68 to check the security eventlog of our domaincontroller to see if any change has been made to our High Privileged Account Groups.
It checks the security log of the domaincontroller for certain events and in those selected events for a string in the description. However when the security log grows beyond a certain point we get timeouts on this test. When we clear the eventlog, everything works fine again. Can we change the timeout of a specific NT Event Log test so that it waits longer before giving a timeout?
Check NT Event Log gives timeout
The test status is set to unknown and the Reply is Timed out. Below is a sample message that is mailed to us.
Message from HostMonitor (host changed status)
Date : 2011-10-24 14:35:57
SLA Folder : Security
Test : NTLog xxxxx:Security\Security - Monitor High Priv Groups
Host : xxxxx
Method : check NT Event Log
Reply : Timed out
Status : Unknown
Recurrences : 7
Total tests : 1468
Alive ratio : 98,30 %
Dead ratio : 0,61 %
Message from HostMonitor (host changed status)
Date : 2011-10-24 14:35:57
SLA Folder : Security
Test : NTLog xxxxx:Security\Security - Monitor High Priv Groups
Host : xxxxx
Method : check NT Event Log
Reply : Timed out
Status : Unknown
Recurrences : 7
Total tests : 1468
Alive ratio : 98,30 %
Dead ratio : 0,61 %
This is HostMonitor's timeout, means test cannot provide any results within 15 min.
Its strange because HostMonitor does not checks all records in the log, it calls Windows API to retrieve only new records, records that were added since previous test probe.
May be target system does not work correctly? How many records can be added between to consecutive test probes?
What Windows is installed on HostMonitor system? Service Pack?
Windows on remote system? Service Pack?
Do you have installed some antivirus monitors, personal firewall, content monitoring software? Non stanard winsock components?
What "compatibility mode" do you use for the test? Windows NT or Windows Vista mode?
Can you try to install RMA (Remote Monitoring Agent) on target system and use RMA to perform this test?
Regards
Alex
Its strange because HostMonitor does not checks all records in the log, it calls Windows API to retrieve only new records, records that were added since previous test probe.
May be target system does not work correctly? How many records can be added between to consecutive test probes?
What Windows is installed on HostMonitor system? Service Pack?
Windows on remote system? Service Pack?
Do you have installed some antivirus monitors, personal firewall, content monitoring software? Non stanard winsock components?
What "compatibility mode" do you use for the test? Windows NT or Windows Vista mode?
Can you try to install RMA (Remote Monitoring Agent) on target system and use RMA to perform this test?
Regards
Alex
Is the 15 min. timeout adjustable somewhere ?
I'm thinking there are too many log events for hostmonitor to deal with in 15 mins, hoping to give the test more time to complete.
Thanks.
Dave
I'm thinking there are too many log events for hostmonitor to deal with in 15 mins, hoping to give the test more time to complete.
Thanks.
Dave
KS-Soft wrote:This is HostMonitor's timeout, means test cannot provide any results within 15 min.
Its strange because HostMonitor does not checks all records in the log, it calls Windows API to retrieve only new records, records that were added since previous test probe.
May be target system does not work correctly? How many records can be added between to consecutive test probes?
What Windows is installed on HostMonitor system? Service Pack?
Windows on remote system? Service Pack?
Do you have installed some antivirus monitors, personal firewall, content monitoring software? Non stanard winsock components?
What "compatibility mode" do you use for the test? Windows NT or Windows Vista mode?
Can you try to install RMA (Remote Monitoring Agent) on target system and use RMA to perform this test?
Regards
Alex
Windows timeout for RPC calls shorter than 15 min. If you see "Timed out" reply for NT Event Log test, this means something wrong. System does not work correctly.
Could you please provide more information:
HostMonitor version?
How many test items did you setup?
Average test load (Auditing Tool shows this info)? Any errors or warnings?
What value do you use for "Don't start more than N tests per second" option?
Windows and Service Pack on HostMonitor and remote system?
Do you use ODBC logging or ODBC test method? If yes, what ODBC driver do you use?
Do you have installed some antivirus monitors, personal firewall, content monitoring software? Non stanard winsock components?
Could you check resource usage for each process? You may use standard Windows Task Manager to check Handles, GDI and USER objects. What is the total resource usage on the system? How many handles/threads/GDI objects used by hostmon.exe process?
Regards
Alex
Could you please provide more information:
HostMonitor version?
How many test items did you setup?
Average test load (Auditing Tool shows this info)? Any errors or warnings?
What value do you use for "Don't start more than N tests per second" option?
Windows and Service Pack on HostMonitor and remote system?
Do you use ODBC logging or ODBC test method? If yes, what ODBC driver do you use?
Do you have installed some antivirus monitors, personal firewall, content monitoring software? Non stanard winsock components?
Could you check resource usage for each process? You may use standard Windows Task Manager to check Handles, GDI and USER objects. What is the total resource usage on the system? How many handles/threads/GDI objects used by hostmon.exe process?
Regards
Alex
see answers below.
If I had to guess, I'd say the windows 2008 servers are having more trouble than the 2003 servers.
Hoping to monitor security events to help troubleshoot locked out accounts.
If I had to guess, I'd say the windows 2008 servers are having more trouble than the 2003 servers.
Hoping to monitor security events to help troubleshoot locked out accounts.
KS-Soft wrote:Windows timeout for RPC calls shorter than 15 min. If you see "Timed out" reply for NT Event Log test, this means something wrong. System does not work correctly.
Could you please provide more information:
HostMonitor version? 9.22
How many test items did you setup? 71 (only 4 tests of NTLog)
Average test load (Auditing Tool shows this info)? Any errors or warnings? don't know where this tool is
What value do you use for "Don't start more than N tests per second" option? 32
Windows and Service Pack on HostMonitor and remote system? Windows 2003 Server and Windows 2008 R2 Server
Do you use ODBC logging or ODBC test method? If yes, what ODBC driver do you use? yes, SQL Server 6.01.7601.17514
Do you have installed some antivirus monitors, personal firewall, content monitoring software? Non stanard winsock components? yes, Trend Micro Offisce Scan, no non standard winsock components that I'm aware of
Could you check resource usage for each process? You may use standard Windows Task Manager to check Handles, GDI and USER objects. What is the total resource usage on the system? How many handles/threads/GDI objects used by hostmon.exe process?
Handles=513, Threads=16, User Objects=159, GDI Objects=209
Regards
Alex
HostMonitor resource usage looks fine. What is the total resource usage on the system? Also, please check remote system.Handles=513, Threads=16, User Objects=159, GDI Objects=209
If you need to check Event Log on Windows 2008 systems, then its better to install HostMonitor or RMA agent on Windows 7/2008 system as well.Windows and Service Pack on HostMonitor and remote system? Windows 2003 Server and Windows 2008 R2 Server
However if you need to check just standard logs (application, security), it should work, "timed out" error is pretty unusual... I assume only 1 system cannot be checked while other systems works fine?
Could you try to install RMA agent on this system and use agent to perform this test?
too many log events? how many events recorded within 2 consecutive test probes (e.g. if you are using 5 min test interval - new events within 5 min)?I'm thinking there are too many log events for hostmonitor to deal with in 15 mins
menu View->Auditing ToolAverage test load (Auditing Tool shows this info)? Any errors or warnings? don't know where this tool is
Yes, and Windows 2012 has more problems then Windows 2008If I had to guess, I'd say the windows 2008 servers are having more trouble than the 2003 servers.
Regards
Alex