Hi,
Is there any limit for number of times (entries) that a driver writes to the Event Viewer?
I know that there is no formal limit since after all it is a call to a function, but as a guideline, what is a reasonable number of times you expect a driver to write to this log let’s say in a time cycle of 24Hrs?
Thanks
Alon
The event log is not a runtime trace facility. Its use should be restricted to major state changes in your product and error conditions that you need to record in order to support your product. The difference between that and a ‘runtime trace facility’ is pretty muddy but there is a difference.
To answer your question, other than during boot, there are no real hard limits. During boot there is a rather small buffer used to cache events until the system is fully operational. If the boot event buffer overflows events get lost.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-287827-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, May 24, 2007 4:47 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Event Viewer - Any Limits?Hi,
Is there any limit for number of times (entries) that a driver writes
to the Event Viewer?
I know that there is no formal limit since after all it is a call to a
function, but as a guideline, what is a reasonable number of times you
expect a driver to write to this log let’s say in a time cycle of
24Hrs?Thanks
Alon
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
As Mark Roddy already said there are no hard and fast limits on this, but
many admins have it set to be a circular buffer of limited size. So please
don’t be one of the stupid drivers that dumps everything into the event
log. I wrote a couple of blog postings on the Event Log and some suggested
guidelines for what you put in it, see
http://msmvps.com/blogs/windrvr/archive/2007/02.aspx
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntdev…
> Hi,
>
> Is there any limit for number of times (entries) that a driver writes to
> the Event Viewer?
> I know that there is no formal limit since after all it is a call to a
> function, but as a guideline, what is a reasonable number of times you
> expect a driver to write to this log let’s say in a time cycle of 24Hrs?
>
> Thanks
>
> Alon
>
On the flip side of this, drivers that do not log error conditions into
the event log should be taken out and shot. While it is one thing for
developers to grovel through dumps and debuggers looking for clues as to
why some driver is misbehaving, end users are completely in the dark
with this sort of silent failure behavior.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, May 24, 2007 8:13 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Event Viewer - Any Limits?
As Mark Roddy already said there are no hard and fast limits on this,
but
many admins have it set to be a circular buffer of limited size. So
please
don’t be one of the stupid drivers that dumps everything into the event
log. I wrote a couple of blog postings on the Event Log and some
suggested
guidelines for what you put in it, see
http://msmvps.com/blogs/windrvr/archive/2007/02.aspx
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
wrote in message news:xxxxx@ntdev…
> Hi,
>
> Is there any limit for number of times (entries) that a driver writes
to
> the Event Viewer?
> I know that there is no formal limit since after all it is a call to a
> function, but as a guideline, what is a reasonable number of times you
> expect a driver to write to this log let’s say in a time cycle of
24Hrs?
>
> Thanks
>
> Alon
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
How many times in a 24 hour period do you want to have the system administrator paged?
The customer for the event log is usually the sort of system admin who carries a pager for when the critical machine dies - most end users don’t even know the event log is there. Sometimes the customer might be you when you need to debug something, but there are other good options for that (WPP tracing for example).
Just about every time I’ve added an event log entry without really thinking about what I expect someone to do in reaction to it I’ve later wished I hadn’t done it. Just like an error message you should think about who is reading it and what you expect them to do with it (and then your messages should guide them to that result so they don’t just sit there wondering WTF)
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, May 24, 2007 1:47 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Event Viewer - Any Limits?
Hi,
Is there any limit for number of times (entries) that a driver writes to the Event Viewer?
I know that there is no formal limit since after all it is a call to a function, but as a guideline, what is a reasonable number of times you expect a driver to write to this log let’s say in a time cycle of 24Hrs?
Thanks
Alon
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Well I disagree. WPP tracing is not a replacement for putting
information into the event log as WPP is generally not enabled by
default. The eventlog is the only persistent record your driver can
count on being there when it falls down. The contents of the eventlog
need not be end-user friendly (for example see the scsiport/storport
eventlog entries for HBAs, which need a KB-based decoder ring for
comprehension), they need to be sufficient to support the product. On
the other hand I agree about the spew issue. It is a bit of a balancing
act.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Thursday, May 24, 2007 12:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Event Viewer - Any Limits?
How many times in a 24 hour period do you want to have the system
administrator paged?
The customer for the event log is usually the sort of system admin who
carries a pager for when the critical machine dies - most end users
don’t even know the event log is there. Sometimes the customer might be
you when you need to debug something, but there are other good options
for that (WPP tracing for example).
Just about every time I’ve added an event log entry without really
thinking about what I expect someone to do in reaction to it I’ve later
wished I hadn’t done it. Just like an error message you should think
about who is reading it and what you expect them to do with it (and then
your messages should guide them to that result so they don’t just sit
there wondering WTF)
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, May 24, 2007 1:47 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Event Viewer - Any Limits?
Hi,
Is there any limit for number of times (entries) that a driver writes to
the Event Viewer?
I know that there is no formal limit since after all it is a call to a
function, but as a guideline, what is a reasonable number of times you
expect a driver to write to this log let’s say in a time cycle of 24Hrs?
Thanks
Alon
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I concur with Mark. My wife used to be a enterprise consultant for HP,
advising system admin’s and checking the event log is her first reaction to
a problem. WPP tracing is not a replacement for event logs, it is a
developers tool, not an administrators. Both are desirable in a driver,
but they perform totally different functions.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Roddy, Mark” wrote in message news:xxxxx@ntdev…
Well I disagree. WPP tracing is not a replacement for putting
information into the event log as WPP is generally not enabled by
default. The eventlog is the only persistent record your driver can
count on being there when it falls down. The contents of the eventlog
need not be end-user friendly (for example see the scsiport/storport
eventlog entries for HBAs, which need a KB-based decoder ring for
comprehension), they need to be sufficient to support the product. On
the other hand I agree about the spew issue. It is a bit of a balancing
act.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Thursday, May 24, 2007 12:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Event Viewer - Any Limits?
How many times in a 24 hour period do you want to have the system
administrator paged?
The customer for the event log is usually the sort of system admin who
carries a pager for when the critical machine dies - most end users
don’t even know the event log is there. Sometimes the customer might be
you when you need to debug something, but there are other good options
for that (WPP tracing for example).
Just about every time I’ve added an event log entry without really
thinking about what I expect someone to do in reaction to it I’ve later
wished I hadn’t done it. Just like an error message you should think
about who is reading it and what you expect them to do with it (and then
your messages should guide them to that result so they don’t just sit
there wondering WTF)
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, May 24, 2007 1:47 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Event Viewer - Any Limits?
Hi,
Is there any limit for number of times (entries) that a driver writes to
the Event Viewer?
I know that there is no formal limit since after all it is a call to a
function, but as a guideline, what is a reasonable number of times you
expect a driver to write to this log let’s say in a time cycle of 24Hrs?
Thanks
Alon
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
There’s a fine line between logging too much and logging too little, between providing log entries which are useful vs. log entries which are alarming vs. log entries which are just confusing. You also have to worry about whether the person reading the log is actually experienced with your particular technology or not.
So I’ll stick with my suggestion. Think about who you’re trying to provide the data for. Think about what a system admin would need to know to figure out why your software product isn’t working, or why their system is slow or keeps crashing. Think about how much data they want to page through to figure that out (for example - logging each interrupt would be silly. Logging a flood of them might make sense if that’s a common problem with your device).
If the data is for your use then use WPP and don’t shove it in the admin’s face. Yes it means you can’t solve your problem on the first occurrence (unless you setup a logger yourself during install) but you’re also not making the other 99% of the administrator’s work harder to make your life easier.
Probably the best advice would be to talk to some of your customers, testers, beta users, etc… and see what they want to know.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Thursday, May 24, 2007 9:54 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Event Viewer - Any Limits?
I concur with Mark. My wife used to be a enterprise consultant for HP,
advising system admin’s and checking the event log is her first reaction to
a problem. WPP tracing is not a replacement for event logs, it is a
developers tool, not an administrators. Both are desirable in a driver,
but they perform totally different functions.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply
“Roddy, Mark” wrote in message news:xxxxx@ntdev…
Well I disagree. WPP tracing is not a replacement for putting
information into the event log as WPP is generally not enabled by
default. The eventlog is the only persistent record your driver can
count on being there when it falls down. The contents of the eventlog
need not be end-user friendly (for example see the scsiport/storport
eventlog entries for HBAs, which need a KB-based decoder ring for
comprehension), they need to be sufficient to support the product. On
the other hand I agree about the spew issue. It is a bit of a balancing
act.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Thursday, May 24, 2007 12:27 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Event Viewer - Any Limits?
How many times in a 24 hour period do you want to have the system
administrator paged?
The customer for the event log is usually the sort of system admin who
carries a pager for when the critical machine dies - most end users
don’t even know the event log is there. Sometimes the customer might be
you when you need to debug something, but there are other good options
for that (WPP tracing for example).
Just about every time I’ve added an event log entry without really
thinking about what I expect someone to do in reaction to it I’ve later
wished I hadn’t done it. Just like an error message you should think
about who is reading it and what you expect them to do with it (and then
your messages should guide them to that result so they don’t just sit
there wondering WTF)
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, May 24, 2007 1:47 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Event Viewer - Any Limits?
Hi,
Is there any limit for number of times (entries) that a driver writes to
the Event Viewer?
I know that there is no formal limit since after all it is a call to a
function, but as a guideline, what is a reasonable number of times you
expect a driver to write to this log let’s say in a time cycle of 24Hrs?
Thanks
Alon
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hey,
Thanks a lot!
Your answers was very helpful!