Eventlog and Syslog « Krishna Ganugapati’s Weblog

Eventlog and Syslog

If you’re a Windows system administrator or a power user on Windows, you’ve visited the Window eventlog system at some point. Every Windows operating system be it a desktop, workstation, server, domain or controller has an eventlog service running that stores system events as structured records. The eventlog service is accessible to all components of the operating system. Kernel mode drivers can write events to the eventlog. User mode daemons can write events to the eventlog. Authenticated clients can read and write records to the eventlog. Because the eventlog functions as an RPC server, that means authenticated remote clients can access the eventlog. In the days of Windows 2000. I remember Jim Allchin sending out directives to all developers in Windows to ensure that the quality of events that were written into the eventlog were system administrator relevant and more importantly actionable. Developers with poor engineering hygiene were soundly chastised for misusing the eventlog. The structured record storage model implied that you could do eventlog analysis in a deterministic fashion. Note however that the eventlog was not build on top of a database. The eventlog is still a flat file. Thus to do analysis, a client program has to sequentially scan the eventlog and filter events that match its requirements.

Even with this limitation, the deterministic and structured storage of the eventlog in Windows allows for robust analysis, troubleshooting and problem diagnostics.

I’ve spent the last two years working on Linux and UNIX operating systems and I do miss structured system events which are deterministic. The logs are by nature text based and while I haven’t done much analysis myself, I wonder whether text logs make it easy auto diagnostic systems to detect system anomalies. I also find it troubling when logs in general have developer debugging information. It adds to the noise. Granted logs can be an invaluable aid to debugging, but I would be expect administrator logs to be different from developer logs. In any case, there are a host of companies that have built businesses around simplifying and reducing the noise-to-signal ratio UNIX log files.

June 6, 2008 - Posted by kganugapati | Uncategorized | | No Comments Yet

No comments yet.

« Previous | Next »

About Krishna Ganugapati

Krishna Ganugapati is Vice President of Engineering at Likewise Software Corporation where he is responsible for the design, architecture and engineering efforts of all products at Likewise.

Krishna has over 15 years of experience in the software industry most of which was at Microsoft Corporation where he served in several product and technology leadership positions. He left Microsoft in 2003 at which time he was architect in the Windows Real-time Communications Group.

As architect in the Office (erstwhile Windows Real-time Communications Group) Real-time Communications Group, Krishna was responsible for technology evaluation and review for real-time communications technologies including and not limited to SIP as a control channel, instant messaging, presence, voice and video over IP for real-time delivery, application sharing and white-boarding. He evangelized a unified SIP endpoint model for all media and application layer data protocols within Microsoft which is the basis for the real-time communications and collaboration platform in Windows Vista.

Prior to that, he was development manager of the wireless product unit in Windows Networking and Communications Group where he conceived and led the development of several wireless technologies in Windows including the wireless 802.1x authentication system, the wireless zero configuration architecture and the native WiFi architecture for software access points. As development manager in the Windows wireless product unit he was responsible for all technology vision, strategy and execution of products. The wireless zero configuration feature was touted as one of the most compelling in Windows XP and spearheaded unprecedented growth for wireless broadband communications.

Prior to that, Krishna led the development effort for a slew of network security technologies including IPSec. He led the joint Microsoft-Cisco development in 1998-2000 to produce the first widespread implementation of the IPSec standard in Windows.

From 1993-1997, Krishna was member of the Windows Distributed Systems Group through the inception and delivery of Active Directory in Windows 2000. Krishna was the principal engineer and inventor of the Active Directory Services Interfaces which continues to be the principal means of accessing the Active Directory.

He holds a BS in Computer Science from the University of Mysore, India and an MS in Computer Science from Virginia Tech.

Archives
- June 2009 (1)
- May 2009 (1)
- April 2009 (1)
- March 2009 (5)
- February 2009 (7)
- January 2009 (3)
- December 2008 (9)
- August 2008 (1)
- July 2008 (1)
- June 2008 (6)
- May 2008 (2)
Categories
- DCE/RPC
- Group Policy
- Likewise
- Likewise Enterprise
- Likewise Open
- LWIO
- Mac OS X
- Microsoft
- MMC
- MSRPC
- Named Pipes
- RDR
- SMB
- sustained competitive advantage
- Uncategorized
- unfair advantage
- Windows Explorer
  - File Server
RSS
Entries RSS
Comments RSS

Krishna Ganugapati’s Weblog

Making Linux systems first class citizens in a Windows Network

Eventlog and Syslog

Leave a comment

About Krishna Ganugapati

Recent

Links

Archives

Categories

RSS

Site info