Windows 7 log cap and overlay principle analysis

log has been deeply rooted in the hearts of the people. But as time goes on, the space occupied by the entire event log is constantly expanding. To do this, you need to set a maximum upper limit for the log file to prevent it from taking up too much hard disk space. This is not only a waste, but also a certain obstacle to reading. And different log files have different importance. To this end, the system administrator should determine the maximum upper limit of each log file and the principle of log coverage based on the importance of the log file, hard disk space, and deployed applications. In this regard, Windows 7 has some improvements over Windows 2003. The author will talk about the limitations of log files in Windows 7 and focus on some of the improvements in this area.

As shown above, this is the management interface of Windows7 log files. In the Windows 7 operating system, these settings can be defined for each log file. Because there are many log files in the operating system, and each log file specifically records a certain part of the content. For this reason, its importance, recording capacity, etc. are all different. To do this as a system administrator, you need to understand the content, importance, etc. of each log file, and then determine these control factors based on these conditions. For a stand-alone operating system, its log files are often saved in the system disk. Therefore, the log file can not take up too much space, otherwise it will affect the operating performance of the operating system.

First, the upper limit of the log file settings.

The system administrator can set the maximum occupied hard disk space for each log file. The setting method is very simple, just select the corresponding log file, then right click, then select Properties, the dialog box above will pop up. Then you can see an option called the maximum size of the log. You can enter the maximum limit for the log file in the text box that follows. When setting this upper limit, you should pay attention to two aspects.

First, the number entered here must be a multiple of 64. As entered above, 20480, which is 320 times 64. If the number we enter here is not a multiple of 64, if the input is 20481, the system will prompt an error message: "The log size value must be 64KB in increments and must be greater than zero. The log size will be set to the minimum multiple of 64KB" . After pressing OK, this value will be automatically changed to the nearest 64 times. If the author enters 20416 and presses OK, the value will automatically change to 20416. This restriction system administrator needs to draw some attention.

Second, the log file is not the bigger the better. Although the log file is large, all event information can be recorded. However, it will also bring trouble to future reading. Finding what you need in a large number of records is not an easy task. Moreover, the log occupies too much system disk space, which also affects the performance of the operating system. For this reason, there is a reasonable limit on the size of this log space. But how much this is appropriate, there is no uniform standard. It is often necessary for the system administrator to determine the appropriate size of the log file based on his own experience and in conjunction with the specific application deployed on the operating system. In general, however, the space occupied by the log space on the system disk should not exceed 5%.

Second, the processing method when the log file reaches the limit.

In the above window, after defining the limit of the log file, you also need to define what to do if this limit is reached. There are three options here in the Windows 7 operating system. The types of options are the same as the 2003 operating system. However, it differs from 2003 in the setting of some options.

One is to override the event as needed (old event first). That is to say, when the log file reaches the upper limit, some old log file records are deleted to store new log information. This option is similar to the 2003 operating system. However, it should be noted here that if you choose this option, you need to pay special attention to the size of the log space. For example, if there is a firewall log in Windows 7, if the firewall is enabled on the system and the network communication of this operating system is relatively frequent, then the upper limit of this log space needs to be set larger. Otherwise, when the system encounters a failure, some useful information may not be found because the information has been overwritten.

The second is not to cover the event. When the log file reaches the upper limit, the system will not continue to record new event information. After the system administrator needs to manually clear the log file, the system records the log information. Obviously this is not a good way to deal with it. Unless you have special needs, it is best not to choose this option.

Three is to archive the log when it is full, and does not overwrite the event. This option is new in the 2003 operating system and is a new option in the Windows 7 operating system. I personally think that this option is very practical. For some high-end servers with stability requirements, it is necessary to archive logs for one year or longer. Such as audit logs for some file access and so on. If this option is selected, the operating system will not overwrite the original log record when the size of the log file reaches the upper limit. Instead, the old log records are archived first, and then the new log information is used to overwrite the old log information. At this point, if the system administrator needs to view the old log information, such as the log at this time last year, then you can view the relevant archive file, which is indeed an attractive improvement of Windows 7.

However, WinDOS 7 removed an option in the 2003 operating system, that is, "the event that covers the event for more than one day." For example, we can set this event to 30. When the log file is full, the system will automatically release the recording space 30 days ago to facilitate the storage of new record information. In fact, although there are some shortcomings in this option, such as when the log space is full but the log information of this number has not been reached, what should be done at this time? However, in some applications, this option is more useful. If the log file is recorded in a dedicated log server, this option is very useful because the space size of the log file is not limited (at least there is no limit on saving the log file on this machine). . It can keep the log information for a period of time, such as a minimum of 30 days, etc. while limiting the maximum space. I can't figure out why Microsoft's operating system experts will remove this option.

Third, after the deployment of the operating system, you should clear the log in time.

Sometimes, after deploying the operating system to the user, it is best to manually empty the log file if necessary. Right click on the relevant log and select Properties. In the Open dialog, there is a "Clear Log" button. The system administrator only needs to click this button and the system will automatically clear the relevant log files.

This is mainly because after the deployment of the operating system, due to testing needs, etc., will generate more log records in a short time. Moreover, these log information cannot reflect the actual situation of enterprise applications. If you put them there, it will mislead future work. To this end, the author believes that the ideal method is that the system administrator first backs up these log files. Then empty the log file. When this operating system is handed over to enterprise users, it is a relatively clean operating system that deploys related applications. Then, when you need to read the relevant logs in the future, some event logs in the original test are not reflected in the log, which is very helpful for the system administrator to read the logs and solve the system and service failures.

Finally, system administrators need to be aware of the difference in log coverage between Windows 7 and 2003. The author believes that if the enterprise deploys the Windows 7 operating system, you can choose the "log full time archive, do not overwrite the log" option. This option is relatively complete compared to other options. Moreover, when reading, it also stores the latest log information, so it will not bring more dyslexia. You can also view the archived logs to get some of the previous log information.