Why does Windows Event Log stop logging events before maximum log size is reached?

Posted by Tuure Laurinolli on Server Fault See other posts from Server Fault or by Tuure Laurinolli
Published on 2010-03-03T03:22:12Z Indexed on 2010/04/07 5:03 UTC
Read the original article Hit count: 326

Filed under:

event-log

I have a service that produces a lot of event log output. Currently the event log is configured to overwrite any old events to keep the log from ever getting full. We have also increased the event log size considerably (to about 600 MB).

Recently the service started reporting errors to its clients, and the error message it was sending to its clients is "The event log file is full". How can this be, when event log is configured to overwrite as necessary?

In our hurry to get the service back up we cleared the event log without saving its contents, but most likely it had not reached 600 MB yet, judging from sizes of some earlier log dumps. There is also MS KB entry 312571, which reports that a hot fix to a similar issue is available, but the the configuration that the fix applies to is not exactly the same we have. Specifically, the fix only applies if event logs are configured to never overwrite old events.

I wonder if this has something to do with the fact that the log files apparently are memory-mapped. What happens if the system runs out of address space to map files to?

Related posts about event-log

Windows Server 2008 Send Error Message on Event Log Error

as seen on Server Fault - Search for 'Server Fault'
We currently have a Windows Server 2008 machine that we have configured with a Custom Task to send an email whenever an error occurs in a certain Event Log. The trigger works perfectly, and sends emails whenever we need them to. HOWEVER, we cannot find a way to get the email to contain information… >>> More
How do I fix a custom Event Viewer Log that merges automatically with the Application log?

as seen on Server Fault - Search for 'Server Fault'
I am trying to create a custom event log for a Windows Service on Windows Server 2003. I would like to name the custom log "(ML) Startup Commands". However, when I add a registry key with that name to HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\, it adds a log but shows the exact same events that… >>> More
Modify the Event Log Source name for an SSIS package

as seen on Stack Overflow - Search for 'Stack Overflow'
I have an SSIS package that logs to the Event Log (yes, the event log!) The default "Source" of the log events is "SQLISPackage100" but I want it to be something like "AppName". Event Type: Error Event Source: SQLISPackage100 Event Category: None ... Description: Package "Foo" failed. I… >>> More
Modify the Event Log Source name for an SSIS package

as seen on Stack Overflow - Search for 'Stack Overflow'
I have an SQL Server integration Services (SSIS) package using the standard Event Log provider (yes, the event log! I know we can use SQL etc...) The default "Source" of the log events is "SQLISPackage100" but I want it to be something like "AppName" so that the errors are more visible between the… >>> More
New event log nowhere to be found after creating in PowerShell

as seen on Server Fault - Search for 'Server Fault'
Through PowerShell, I am attempting to create a new event log and write a test entry to it, but it is not showing up the Event Viewer. This is the command I'm using to create a new event log: new-eventlog -logname TestLog -source TestLog And to write a new event to it: write-eventlog TestLog -source… >>> More

Developer IT