|
Dilbert As gently caress posted:http://www.boche.net/blog/index.php/2013/03/19/large-memory-pages-and-shrinking-consolidation-ratios/ The paper says he migrated all the VMs off of the host when he disabled large pages.
|
#
?
Aug 5, 2014 15:48
|
|
|
|
| # ? May 9, 2024 14:49 |
|
|
edit : ^^^^  Dilbert As gently caress posted:Swap, ballooning, compression that is not being reclaimed. Yeah, I'd read that article before I posted, and one of the first things he does is vmotion everything off and put the host in maintenance mode. quote:So I evacuated a vSphere host using maintenance mode, configured Mem.AllocGuestLargePage to a value of 0, then placed all the VMs back onto the host. Shown below are the before and after results. I'm not saying its not possible, but It did absolutely nothing on my test machine till I power cycled the VMs.
|
|
#
?
Aug 5, 2014 15:51
|
|
|
Wicaeed posted:Why? Assuming you have VMware Tools installed you can view the DNS name from the VM OS level right in vCenter Meet in the middle. Call the VM: serverx.mydomain.local (developer wiki) I watch more operators struggle trying to find things when VMs aren't named the same as the DNS name. Also you won't be able to view the VM's guest information without VMware tools. So if it's powered off, in the middle of a reboot, or bluescreened/had a kernel panic you might never find it.
|
|
#
?
Aug 5, 2014 17:06
|
|
|
Does VMWare not have a description field? Or an Owner field?
|
|
#
?
Aug 5, 2014 18:04
|
|
|
Jeoh posted:Does VMWare not have a description field? Or an Owner field? Yeah there's a description field that you can set on VMs. It's also somewhat extensible as I understand. Of course if you are having issues with VM names not matching hostnames you should really take another look at your change control/management process.
|
|
#
?
Aug 5, 2014 18:08
|
|
|
https://labs.vmware.com/flings/vmware-os-optimization-tool Awesome little tool off the VMlabs if anyone is looking for image optimization.
|
|
#
?
Aug 5, 2014 19:41
|
|
|
Dilbert As gently caress posted:https://labs.vmware.com/flings/vmware-os-optimization-tool Warning: Test before deploying these optimizations. Some optimizations may break things like Adobe Reader updates in certain environments, as it disables some services that applications may depend on.
|
|
#
?
Aug 5, 2014 23:56
|
|
|
Docjowles posted:Is virtualbox an option? It seems like what you want is a layer of abstraction that would let your VMs work regardless of the underlying OS which is pretty much what VB provides. Or do you specifically care about testing the capabilities of the distro as a host OS? I'd rather stay away from Virtual Box. I've had poo poo luck with migrating guests between hosts, corrupt images, etc. evol262 posted:Doesn't actually explain much. The bare metal would be on this box, along with all VMs. Use case example: Three classes of VMs: full time servers (plex/upnp server for the house), on-demand (fire up a dev os for occasional Android development), and primary desktop os (like Mint). One day I decide to add a dedicated full-time asterisk server. The next I add an on-demand Minecraft development os. Next, I switch from Mint to Arch for my primary desktop. The ultimate goal is to allow me to swap primary desktops as often I want, but not having to spend half a day recreating a host environment for all the other VMs (this includes getting Virtual Box to work with the guests). Or even have those other VMs down while I install a new desktop. I'd rather have the primary desktop(s) be guests of a really lightweight bare metal hypervisor os, just like the other VMs. I get the feeling kvm+libvirt could just about do this with a minimal Linux install, but nobody's done it yet. At least not that I'm aware of.
|
|
#
?
Aug 6, 2014 04:30
|
|
|
No no serious posted:
These could all be ran on a E5-2460 or whatever i5-%hyperthreading goes here%. Java is Ram MHZ, and CPU intensive pieces of poo poo out there. Windows is the only supporter or RST/SRST fuction; where you can sub in an SSD to do READ/WRITE fuctions. PROTIP: use it; HDD will be your slowdown. quote:The ultimate goal is to allow me to swap primary desktops as often I want, but not having to spend half a day recreating a host environment for all the other VMs (this includes getting Virtual Box to work with the guests). Or even have those other VMs down while I install a new desktop. I'd rather have the primary desktop(s) be guests of a really lightweight bare metal hypervisor os, just like the other VMs. Download centOS, run in basic mode like GNome 2(not supported right Gnome 3 basic is it right?). Put an SSD for the READ cache and dedicate swap to run on SSD. Allocate only what needed, use VMware Worksation Technical preview (protip free!). Whammo high performing L2 Hypervisor. Protip: I think based on the code Worksation is developed for debian just FYI quote:I get the feeling kvm+libvirt could just about do this with a minimal Linux install, but nobody's done it yet. At least not that I'm aware of. Just use DSL and custom add the modules. However, if you are that worried about performace, upgrade your HW to a dedicated esxi whitebox. I mean poo poo you can run multiple servers off a unix/workstation install and not even know it... Storage is the killer; For now, soon it will be network....
|
|
#
?
Aug 6, 2014 04:47
|
|
|
No no serious posted:The ultimate goal is to allow me to swap primary desktops as often I want, but not having to spend half a day recreating a host environment for all the other VMs (this includes getting Virtual Box to work with the guests). Or even have those other VMs down while I install a new desktop. I'd rather have the primary desktop(s) be guests of a really lightweight bare metal hypervisor os, just like the other VMs. Could he use ESXi (or anything other hypervisor with this ability) and use VMDirectPath I/O passthrough to give a standalone video card to the "desktop" guest? Plug the monitor to the video card and it should work I think. Everything else should work like a normal guest. Switching out the "desktop" would be as simple as shutting down the guest, removing the video card, then assigning it to another guest - this would even allow you to flip back and forth with (relative) ease. I've never personally done it, it would be a giant kludge, and you would need mobo support for VT-d... but I *think* it should theoretically work. edit: https://www.youtube.com/watch?v=NQZONW09zbo Looks like someone doing something similar here. I'm guessing you would also need to passthrough your USB KB/Mouse for input. Also think about sound  There is a big ol thread linked in the video that I can't be arsed to read. Good luck and let us know how it goes if you try it 
Fancy_Lad fucked around with this message at 05:10 on Aug 6, 2014 |
|
#
?
Aug 6, 2014 05:03
|
|
|
Drunkposting? Badposting? Wrongposting? I don't know. Please don't follow any advice here. DSL for KVM? Weird CentOS gibberish? Distro mattering for Workstation? No no serious posted:I'd rather stay away from Virtual Box. I've had poo poo luck with migrating guests between hosts, corrupt images, etc. No no serious posted:The bare metal would be on this box, along with all VMs. OK, yes and no. With chipset and CPU support, VMware will happily do this. As will XCP, Xen, libvirt, and anything else you want (as long as you configure it). There are two questions: First, why are you changing distros so often? And why can't you just virtualize your "gently caress around" VM? That's what your desktop actually is if you swap so frequently this even matters (I do Dev on gentoo, centos, RHEL, fedora, Ubuntu, and suse frequently -- I haven't changed distros for a "daily driver" in two years) Second, why is passthrough important? Do you want hardware accel? Is there a reason you couldn't use SPICE or RDP to the guest, even on a different X server? VMware or any Linux distro will do this (best have a 2nd GPU/keyboard/mouse for the console, or serial). Or use Workstation/Fusion/Virtualbox on another partition. Or KVM with /etc/libvirt.d and /var/lib/libvirt/images on partitions. I mean, I see why you're interested (in theory). Not dual booting, but changing your environment without disrupting your "servers". Bluntly, nobody has productized this because it's dumb. You can use rdp, nx, vnc, or spice to access guests for daily drivers like they're native (with limited/bad accel, but you can play vidya somewhere else). You can leave the disks and configs (vmx, libvirt XML, whatever) on another partition. You can buy another system capable of being a "real" baremetal host for $200. "I want all the benefits of both type 1 and type 2 hypervisors" doesn't exist. Because few people need or want it, it's finicky with hardware, etc. Pick one. XCP, libvirt, VMware, and we'll tell you how to do it on bare metal (assuming two GPUs, hid devices, vt-d/iommu support). But there's no ready made solution. And I'd suggest you buy a cheap 2nd box instead for a variety of reasons.
|
|
#
?
Aug 6, 2014 07:21
|
|
|
Dilbert As gently caress posted:Protip: I think based on the code Worksation is developed for debian just FYI Beside myself, I think I know of one guy on that UI team that uses Debian. The people that work on the virtualization side of things pretty much use everything you can imagine for Linux distros. I know a few running gentoo. Debian is not even high up on the test list. RHEL, SLES, and Ubuntu are the big ones. Then the other distros closely related to those.
|
|
#
?
Aug 6, 2014 15:12
|
|
|
Admittedly it's been a while since I had to do a proper P2V -- is VMware Converter still what I'd use to do a P2V of a CentOS machine? Prefer to do a cold-clone if possible; don't really want to install anything on the machine.
|
|
#
?
Aug 7, 2014 02:42
|
|
|
DevNull posted:Beside myself, I think I know of one guy on that UI team that uses Debian. The people that work on the virtualization side of things pretty much use everything you can imagine for Linux distros. I know a few running gentoo. Debian is not even high up on the test list. RHEL, SLES, and Ubuntu are the big ones. Then the other distros closely related to those. Isn't ubuntu like completely based off debian? While SLES/RHEL is red had? Martytoof posted:Admittedly it's been a while since I had to do a proper P2V -- is VMware Converter still what I'd use to do a P2V of a CentOS machine? Prefer to do a cold-clone if possible; don't really want to install anything on the machine. converter does pretty much everything; cold clone for consistency if you are doing something pre 6.2, other wise hot clone it. evol262 posted:Drunkposting? Badposting? Wrongposting? I don't know. Please don't follow any advice here. DSL for KVM? Weird CentOS gibberish? Distro mattering for Workstation? DSL for a minimal install base that runs soley of a flash drive and does KVM with minimal over head. DSL is good if you don't mind it's limitations, but if doing KVM it would work out well. CentOS 7 is better in things than 6.x, so I will give it props to that. I'll give you the distro thing, it's just me nit picking. Dilbert As FUCK fucked around with this message at 02:58 on Aug 7, 2014 |
|
#
?
Aug 7, 2014 02:52
|
|
|
Dilbert As gently caress posted:Isn't ubuntu like completely based off debian? While SLES/RHEL is red had? SLES is the downstream/productized OpenSUSE. It's like the relationship between Fedora and RHEL. It uses RPM, but isn't derived from our packages. Dilbert As gently caress posted:DSL for a minimal install base that runs soley of a flash drive and does KVM with minimal over head. DSL is good if you don't mind it's limitations, but if doing KVM it would work out well. CentOS 7 is better in things than 6.x, so I will give it props to that. Many changes are backported into EL6 anyway (as part of libvirt, qemu-kvm, qemu-kvm-rhev, or otherwise). But the only "module" you need for KVM is KVM. If you mean enabling nesting, that's just kernel versioning. I'm just sort of  since anything you can put on a flash drive with the same version of libvirt, kernel, and qemu as DSL (almost any distro at all with unetbootin, liveusb-creator, direct installs with syslinux/grub) will perform as well as a KVM host as DSL. There are reasons to recommend it, but DSL isn't one of them. It isn't actually as minimal as a minimal fedora/centos/arch/ubuntu/whatever install on a flash drive -- it's minimal memory and space usage for a distro that boots into a graphical environment. It also hasn't been updated since 2012. I'd have to test, but I'd guess centos is significantly more featureful and faster running guests. I mean, I'm picking it apart a little, too. But there's not really a "best" distro for KVM.
|
|
#
?
Aug 7, 2014 06:08
|
|
|
evol262 posted:The relationship between Ubuntu and Debian is now more complex. Ubuntu takes a completely fine distro, and royally fucks it up.
|
|
#
?
Aug 7, 2014 15:28
|
|
|
And here I was thinking "DSL" meant "Domain-specific Language", not "drat Small Linux", which made DAF's post make even less sense.
|
|
#
?
Aug 7, 2014 15:41
|
|
|
I thought we were talking about digital subscriber lines?!?!?
|
|
#
?
Aug 7, 2014 15:46
|
|
|
Sorry for going offtopic (unless we're talking DSL/VDSL/SHDSL or DSLAMS, in which case, brace yourself for nerd factor 5), but I wanted to ask a VMWare Player question, and then brag a little about finally figuring out the questions I'd posted here. It might be tl:dr, so feel free to skip past, if you wanna keep talking about you're current topic. I fully understand! Anyway, long story short, I've gotten some crazy OSes to work in Virtualbox, and integrate them into my GNS3 sim topologies. It's like a frankenstein's lab, but all virtual. I've got a Netware 5.1 server that talks IPX/SPX to an NT4 workstation using Client32 and nwadmin, I've gotta Linux Mint 17, Haiku, Plan 9, Win98SE, MS-DOS6.22, and theoretically, I'm trying to get a Cisco call manager working in a new topology, along with some IPBLUE MultiLab "skinny" softphones. I even found a Huawei simulator that supposedly can integrate with GNS3, but I'm kinda loathe to use it. Not sure why I even dowloaded it. Morbid curiosity? I love GNS3, and I love virtualbox! I really want to try win98SE on VMWare PLayer (sound doesn't work mostly in VB), but I keep getting an MSI error. I uninstalled the Workstation version I used on to fart with OSX Snowleopard), but VM Player just doesn't want to install, and I've tried all the times from VMWare support. Any sugggestions? Sorry again for the threadjack. Pleas continue. Hz so good fucked around with this message at 06:46 on Aug 8, 2014 |
|
#
?
Aug 8, 2014 06:32
|
|
|
Are there any special privileges required to use vmware-cmd? I have a number of VMs on a cluster managed by our QC department and they're having ldap issues with it so they created an internal account for me to make use of for connecting/reverting snapshots. With the original account (ldap) this command works: vmware-cmd -H vsphere -h esxhost -l -U "int\user" -P password -l When I use the internal account they created I simply get "Host not found". The account they setup for me only gives me access to the specific VMs, ldap account had much broader access. I'd just move these VMs to our cluster but there's politics at play.
|
|
#
?
Aug 8, 2014 12:59
|
|
|
evol262 posted:Drunkposting? Badposting? Wrongposting? I don't know. Please don't follow any advice here. DSL for KVM? Weird CentOS gibberish? Distro mattering for Workstation? I probably wasn't clear enough (posting on my phone all week). I'll only ever have one graphical desktop os running at any given time (any guests that have a GUI I could connect via vnc or spice or whatever). The main issue thing is, I want to try out a new distro for a few days without disrupting the other guests on my box, then either stay with that distro or revert. I can definitely reboot to choose whatever is the primary desktop (especially if that means dedicating hardware to pass through to the guest). That way the other services I'm running (plex, asterisk, whatever) are down minimally. I think I'm just getting spoiled by things like Digital Ocean, where I can just create vm instances, gently caress around, then kill them. I kind of want them all in one machine, desktop, headless guests, etc. I'll probably mess around with esxi or something and see if that will work. If not I'll build a dedicated home server box that I can properly virtualize, and keep my desktop just a desktop. To be honest, part of this was an exercise in seeing what's possible.
|
|
#
?
Aug 8, 2014 13:40
|
|
|
No no serious posted:The main issue thing is, I want to try out a new distro for a few days without disrupting the other guests on my box, then either stay with that distro or revert. You can do this with lots of hypervisors if you have vt-d/iommu support. But you'll need a second keyboard/mouse/GPU attached to use as the console for the hypervisor. Or serial. And another system (laptop or otherwise) to build the new VM and configure passthrough. In theory, you could set up an internal pxe server and make your "desktop" VM pxe all the time (boot from local through that) so you wouldn't have to remap, but... I'm still pretty confused why you can't just use virtual box or something in full screen for this. Or vnc. What do you need hardware accel for, and why can't you leave one VM (Ubuntu, windows, whatever) as the passthrough target, then vnc or whatever to screw around with distros? But then we're back to "why virtualize"? You could also consider thin clients, but more hardware again. It's possible if you have the right hardware. But even though I see what you're trying to do, I'm totally unclear on why you want to do it. It adds complexity for no gain. If you want to, check for hardware passthrough support, figure out how you're gonna rebuild the desktop VM (pxe or another machine), install esxi or Linux, make a guest, enable passthrough for your 2nd gpu, passthrough your second keyboard and mouse, and go from there. Also, " I'm OK to reboot" makes me wonder even more why you're not OK with using a type 2 hypervisor with guests on a different disk or partition. E: thinking about it, you could probably toggle passthrough to another guest with the vSphere SDK, though I've never looked at this specifically. Libvirt could be similarly configured. Doesn't change anything else, though evol262 fucked around with this message at 15:21 on Aug 8, 2014 |
|
#
?
Aug 8, 2014 14:53
|
|
|
Since we're speaking of the hardware side, is there any way to use my laptop as a VGA KVM for hooking up to hosts? Like a USB dongle with a VGA Input with USB Virtual KVM? I've never had a situation where there wasn't a spare monitor and Keyboard mouse in a server room, but it would be nice not to have to locate these items.
|
|
#
?
Aug 8, 2014 15:17
|
|
|
Vaporware posted:Since we're speaking of the hardware side, is there any way to use my laptop as a VGA KVM for hooking up to hosts? Like a USB dongle with a VGA Input with USB Virtual KVM? Yes. However, all of the solutions I've found are quite expensive... ~$330 StarTech NOTECONS01 KVM Console to USB 2.0 Portable Laptop Crash Cart Adapter If it suits your needs though, the product demos look pretty decent.
|
|
#
?
Aug 8, 2014 19:20
|
|
|
Whoa, niiice. Yes that is what I was talking about. awesome, now to justify the cost!
|
|
#
?
Aug 9, 2014 03:21
|
|
|
edit: solved this problem myself -- turns out having an adapter bridged with guests is not very compatible with the host also having RRAS configured on that adapter. The packets going out of the guests get caught by the host's RRAS service, which bounces ICMP Redirect messages back to the guests, which causes some confusion. Original message below for posterity. --- I've been getting some disappointing network performance in my VMs, and I've tried basically everything I've found online to try to resolve the problem to no avail. Hopefully someone here can point me to something I haven't already tried. Here's the setup: Host
Guest
The problem I'm facing is that when I start up an RTMP stream to a server on the guest via x.x.x.28 (the guest's bridged IP address), I get pretty severe hitches in the data stream. This occurs even at bitrates down to 400Kbps. I've done all of the following in the process of trying to track down the problem:
At this point I've pretty much run out of leads on how to improve the situation and get acceptable stream performance to the guest via the bridged network connection. Any advice anyone has would be greatly appreciated. biznatchio fucked around with this message at 08:05 on Aug 9, 2014 |
|
#
?
Aug 9, 2014 03:24
|
|
|
biznatchio posted:
I think this is fixed here http://blogs.vmware.com/workstation/2014/07/vmware-workstation-technology-preview-july-2014.html evol262 posted:things I mostly agree with I'd just want to debate DSL booting and the <64MB over head to run KVM; depending on how far you actually want to customize your OS is debatible but ehhhhh. Like you said, nitpicking leads to no where. Dilbert As FUCK fucked around with this message at 03:56 on Aug 9, 2014 |
|
#
?
Aug 9, 2014 03:52
|
|
|
Dilbert As gently caress posted:I think this is fixed here Is there something in particular that makes you think this? I don't see any references to networking changes in their What's New notes.
|
|
#
?
Aug 9, 2014 05:16
|
|
|
biznatchio posted:Is there something in particular that makes you think this? I don't see any references to networking changes in their What's New notes. I had issues running Ubuntu on 2k8R2 SP1 on my home machine, preview fixed it. And besides it's free 2015 workstation!
|
|
#
?
Aug 9, 2014 05:29
|
|
|
Dilbert As gently caress posted:I'd just want to debate DSL booting and the <64MB over head to run KVM; depending on how far you actually want to customize your OS is debatible but ehhhhh. Like you said, nitpicking leads to no where. You should also consider that new versions of libvirt link against about 30 libraries, including ceph, gluster, etc. And DSL is two years behind on features, fixes, and performance. Plus, ksm is incredibly effective. Running with overhead as low as possible is nice, but it's not worth sacrificing everything else for, and performance/guest density will probably be worse anyway. Because it's two years old. I guess, as someone who works on products based in KVM, there is no substitute for running the newest kernels and libvirt versions. Really.
|
|
#
?
Aug 9, 2014 05:34
|
|
|
evol262 posted:I mean, maybe, but Debian and EL6 actually run with 64mb. Yeah that's true I agree. I dunno maybe it's the company I work with...
|
|
#
?
Aug 9, 2014 05:40
|
|
|
biznatchio posted:I've been getting some disappointing network performance in my VMs, and I've tried basically everything I've found online to try to resolve the problem to no avail. Hopefully someone here can point me to something I haven't already tried. Here's the setup: Just to follow up on this, I've solved this problem myself -- turns out having an adapter bridged with guests is not very compatible with the host also having RRAS configured on that adapter. The packets going out of the guests headed toward the gateway to the internet get caught by the host's RRAS service, which bounces ICMP Redirect messages back to the guests because it thinks it's supposed to be doing the routing, which causes some confusion; even if the guest is configured to ignore ICMP Redirect messages. Lesson learned: don't configure VPN on the host, just set up a guest and have the guest expose the VPN to the private host-only network instead!
|
|
#
?
Aug 9, 2014 08:07
|
|
|
Has anyone here done work to optimize the eventlogs for virtual servers? The defaults for 2008R2 just plain stupid in my opinion. 1gb for each log file (application, security, system) and the security logging is so verbose that you end up filling that inside a week with just a low volume server enrolled in the domain. On a high-volume server with a lot of network resources being hit, the entire 1gb of the security log turns over every 1-2 hours here. You end up with about 1.5mil entries you don't care about. Besides the lost space on the C: vol, its also ballooning the deltas on our backup snapshots and generating unnecessary write IOPs. I threw a policy in to limit the size of the logs to 25mb which seemed like more than enough but that doesn't solve the IOP problem. I assume it's the "Audit account logon events: Success" default for server OS's that is generating all the crap, but are there specific offenders I can filter out with the Advanced Audit Policy Configuration options?
|
|
#
?
Aug 13, 2014 21:09
|
|
|
We bought solarwinds lem which can record all the event logs and store it in a database.
|
|
#
?
Aug 13, 2014 21:29
|
|
|
thread says I have unread reply. I do not. Bumping to fix it.
|
|
#
?
Aug 14, 2014 00:15
|
|
|
If my DAVG/rd and DAVG/cmd is through the roof, what are the chances that it could be anything but hardware related? I'm talking in the neighborhood of 400-1500 here. This is a new-ish DL380 G7, P410i with 8 256GB SSDs in a RAID-10 so this thing should be blazing fast, but my VM is choking waiting for I/O and esxtop shows DAVG issues. All firmware up to date, latest HP ESXi drivers in place for HBA, etc. HP swears up and down that it's not their hardware now and I'm going to have to buy a per-incident support pack from VMware to help prove them wrong which isn't the worst use of $300, but I just know it's going to end up with HP pointing the finger at VMware and vice versa while I twiddle my thumbs.
|
|
#
?
Aug 14, 2014 00:24
|
|
|
Are writes also slow? Do you see anything in the vmkernel log that shows I/O failures? Maybe there's a problem handling VAAI or certain command types. With that kind of latency, I expect you're seeing aborts, resets, or busy sense codes.
|
|
#
?
Aug 14, 2014 01:13
|
|
|
Martytoof posted:If my DAVG/rd and DAVG/cmd is through the roof, what are the chances that it could be anything but hardware related? I'm talking in the neighborhood of 400-1500 here. This is a new-ish DL380 G7, P410i with 8 256GB SSDs in a RAID-10 so this thing should be blazing fast, but my VM is choking waiting for I/O and esxtop shows DAVG issues. What kind of workload is running on the disks?
|
|
#
?
Aug 14, 2014 01:26
|
|
|
Kachunkachunk posted:Are writes also slow? Do you see anything in the vmkernel log that shows I/O failures? Maybe there's a problem handling VAAI or certain command types. With that kind of latency, I expect you're seeing aborts, resets, or busy sense codes. Writes are actually not slow, which is the maddening part of all this. I'll have to verify the vmkernel log at work tomorrow. I ended up migrating the VM to another host and it's fine now, but I'll have to track down this issue. NippleFloss posted:What kind of workload is running on the disks? I'm going to say something like 600 or CMD/s? It's a SIEM so it's constantly receiving thousands of events per second. I honestly forget what that translates to -- I'll have to verify all this tomorrow.
|
|
#
?
Aug 14, 2014 02:21
|
|
|
|
| # ? May 9, 2024 14:49 |
|
|
BangersInMyKnickers posted:Has anyone here done work to optimize the eventlogs for virtual servers? The defaults for 2008R2 just plain stupid in my opinion. 1gb for each log file (application, security, system) and the security logging is so verbose that you end up filling that inside a week with just a low volume server enrolled in the domain. On a high-volume server with a lot of network resources being hit, the entire 1gb of the security log turns over every 1-2 hours here. You end up with about 1.5mil entries you don't care about. Besides the lost space on the C: vol, its also ballooning the deltas on our backup snapshots and generating unnecessary write IOPs. I threw a policy in to limit the size of the logs to 25mb which seemed like more than enough but that doesn't solve the IOP problem. I assume it's the "Audit account logon events: Success" default for server OS's that is generating all the crap, but are there specific offenders I can filter out with the Advanced Audit Policy Configuration options? The rate at which security audit events will be generated depends on the role of the server. Domain Controllers and Exchange CAS servers will always generate huge amounts of security audit events as clients are continually authenticating against them. Also application servers which use Windows integrated authentication will likely generate a lot of security audit events. The best option would be to setup a SIEM server to collect the logs (We use RSA enVision which has a rubbish GUI however we are using an ancient version). Once the logs are being picked up by your SIEM server you could exclude them from your backups.
|
|
#
?
Aug 14, 2014 14:15
|
|