Internal Supercharger Logs


Internal Supercharger Logs

b

I am setting up Supercharger for DCs and Monitoring AD Changes.  I have numerous Warnings/Errors concerning "Log lost # with EPS 1 during last analysis period - as reported by Windows Event Tracing (ETW)".  What does this mean?  Are my logs not complete?
Craig Mitchell

bobbychan - 6/7/2017
I am setting up Supercharger for DCs and Monitoring AD Changes.  I have numerous Warnings/Errors concerning "Log lost # with EPS 1 during last analysis period - as reported by Windows Event Tracing (ETW)".  What does this mean?  Are my logs not complete?

Hi - Could you please send me the version of Supercharger you have installed?

Thank You
Craig
b

cmitchell - 6/7/2017
bobbychan - 6/7/2017
I am setting up Supercharger for DCs and Monitoring AD Changes.  I have numerous Warnings/Errors concerning "Log lost # with EPS 1 during last analysis period - as reported by Windows Event Tracing (ETW)".  What does this mean?  Are my logs not complete?

Hi - Could you please send me the version of Supercharger you have installed?

Thank You
Craig

17.5.39.0
RandyFranklinSmith

bobbychan - 6/7/2017
I am setting up Supercharger for DCs and Monitoring AD Changes.  I have numerous Warnings/Errors concerning "Log lost # with EPS 1 during last analysis period - as reported by Windows Event Tracing (ETW)".  What does this mean?  Are my logs not complete?

Supercharger is warning you that WEC is reporting dropped events which in our lab results from an overloaded collector.  This is one of the many checks that Supercharger makes and surfaces to you which you may never know otherwise.

That being said, if you are using the Active Directory Changes filter provided in Supercharger, and if that is your only subscription, I wouldn't expect that to overload even a small Collector.  So can you provide:
- specs on collector
- specs on subscriptions on that collector
- copy of the log.  you can private message that too me in this forum

Craig Mitchell

RandyFranklinSmith - 6/7/2017
bobbychan - 6/7/2017
I am setting up Supercharger for DCs and Monitoring AD Changes.  I have numerous Warnings/Errors concerning "Log lost # with EPS 1 during last analysis period - as reported by Windows Event Tracing (ETW)".  What does this mean?  Are my logs not complete?

Supercharger is warning you that WEC is reporting dropped events which in our lab results from an overloaded collector.  This is one of the many checks that Supercharger makes and surfaces to you which you may never know otherwise.

That being said, if you are using the Active Directory Changes filter provided in Supercharger, and if that is your only subscription, I wouldn't expect that to overload even a small Collector.  So can you provide:
- specs on collector
- specs on subscriptions on that collector
- copy of the log.  you can private message that too me in this forum

Could you also provide the CPU that is being reported by that collector?
b

cmitchell - 6/7/2017
RandyFranklinSmith - 6/7/2017
bobbychan - 6/7/2017
I am setting up Supercharger for DCs and Monitoring AD Changes.  I have numerous Warnings/Errors concerning "Log lost # with EPS 1 during last analysis period - as reported by Windows Event Tracing (ETW)".  What does this mean?  Are my logs not complete?

Supercharger is warning you that WEC is reporting dropped events which in our lab results from an overloaded collector.  This is one of the many checks that Supercharger makes and surfaces to you which you may never know otherwise.

That being said, if you are using the Active Directory Changes filter provided in Supercharger, and if that is your only subscription, I wouldn't expect that to overload even a small Collector.  So can you provide:
- specs on collector
- specs on subscriptions on that collector
- copy of the log.  you can private message that too me in this forum

Could you also provide the CPU that is being reported by that collector?

Same Specs on CPU.  I created two of the same.
Tamas Lengyel

For the benefit of others who might come across the same issue, here is a brief summary of what happened after some private communication:
  • We have released a small patch for a small bug that slightly increased the number of lost events. This patch is now part of the latest version downloadable from the website.
  • We have confirmed in Performance Monitor that Windows is reporting the same number of lost events as Supercharger, so it is not a Supercharger issue, but a Windows issue.
  • We have confirmed that there is enough RAM on the systems. Insufficient RAM could cause the Windows Event Collector not being able to process events in a timely fashion.
  • Finally, instead of a custom Supercharger event log, the Forwarded Events event log is now used in the subscription. After this, no more events lost. We've never seen that happen. If this comes up with additional folks, we will re-examine.

bjvista

Tamas Lengyel - 6/15/2017
For the benefit of others who might come across the same issue, here is a brief summary of what happened after some private communication:
  • We have released a small patch for a small bug that slightly increased the number of lost events. This patch is now part of the latest version downloadable from the website.
  • We have confirmed in Performance Monitor that Windows is reporting the same number of lost events as Supercharger, so it is not a Supercharger issue, but a Windows issue.
  • We have confirmed that there is enough RAM on the systems. Insufficient RAM could cause the Windows Event Collector not being able to process events in a timely fashion.
  • Finally, instead of a custom Supercharger event log, the Forwarded Events event log is now used in the subscription. After this, no more events lost. We've never seen that happen. If this comes up with additional folks, we will re-examine.

Here is another update we have discovered about the dropped events:
  Over the past few weeks we have done some very in-depth extensive research in to ETW and the “Events Dropped” performance counter.  Contrary to widely held understanding, Dropped Events does not indicate WEC is failing to deliver events from forwarding computers to the destination event logs.  In fact, our extensive testing has revealed very good news.  Even under heavily overloaded conditions, WEC does not lose events.  In such cases, WEC may slow down and in extreme cases even stop receiving events but events are never lost in a black hole.
This is really good news and means we are re-instrumenting how Supercharger interprets the Dropped Events counter.  Our experiments show that this counter still has value for indicating when WEC is overloaded and needs more resources or re-balancing of workload.  And this is important because if WEC is too slow in receiving events or stops accepting events, logs could potentially wrap on source computers before the events are forwarded.  Getting value from the Dropped Events counter will take some more research and expect enhancements in the future.  We also plan enhancements for more sophisticated detection of slow or hung WEC collectors in the near future.
But the more immediate action we are taking is changing Supercharger so that it no longer issues the warning you’ve been seeing when it sees an increase in the Dropped Events counter because the warning is inaccurate and gives the false impression you are losing events. 
Please update to the latest version 19.7.1 by downloading the package here:  https://www.logbinder.com/Form/SCDownload.  You can perform an in-place upgrade with the downloaded installation package.
We will be publishing a blog soon on the research we did in conjunction with this issue. 
But for now, you can rest easy about this warning.  No events are being lost.  Update to the latest version and you will no longer receive them.
The Supercharger for Windows Event Collection team remains committed to helping your monitor every aspect of health throughout your logging  pipeline.


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search