FS log caching

amitr0-2 · January 31, 2006, 1:26am

Hi all,

I am working on a peoduct similar to filemon, only difference is the amount
of logs generated. I need not show all the READ operations corresponding to
a file, just once for a qequence.

Eg. if it is like…

READ FILE1
READ FILE1
READ FILE1
WRITE FILE1
WRITE FILE2
READ FILE1

the logs can be consolidated to

READ FILE1
WRITE FILE1
WRITE FILE2
READ FILE1

Well I am tapping the FileObject->FsContext to help me with this issue.

However the other problem is caching the logs till the user mode service/app
calls for them.

Reading up the archieves and articles at OSR I found that several techniques
are there to do the same. The most benificial seems to be th inverted call
approach where the driver can ping the app when it is running ahort of
memory to get rid of the logs.

But there is no guarentee for this to work.

The other approach would be to store the logs in some file in the FS itself
( we have to deal with re entrancy problems ), or to store it to a RAMDRIVE
like device (inter driver communication), which would have the added
capability to dumo the logs to the disk once in a while.

I want to know which one of these would be the best, if I expect heavy
logging (even after consolidation).

Thanks.

–

amitr0

David_J_Craig · January 31, 2006, 2:00am

First, decide what information you want to have displayed. List each item
and provide the IRP where that information is accessable.
Second, decide if you want this information by file object or specific file.
You need to know this because usually FsContext is unique to the file and
not to the specific file open/create.
Third, total the size information for each data item using worse case
values. Decide how much memory you can use in the driver and how many files
that will entail. Don’t forget that file names can be 64kb in size using
the 32k Unicode characters. Maybe only keeping the file name and extension
without the path will be enough. You could save the names in a buffer and
when it fills up just send them to the application keeping only a sequence
number to continue compiling information.

You have to break down the task into pieces and see how they fit together.
The elimination of multiple read or write IRPs could be solved by having the
application handle it. Thinking about the design is the only solution.
Writing the code then doing a design is great for a throw away, but not for
something useful.

“amitr0” wrote in message news:xxxxx@ntfsd…
Hi all,

I am working on a peoduct similar to filemon, only difference is the amount
of logs generated. I need not show all the READ operations corresponding to
a file, just once for a qequence.

Eg. if it is like…

READ FILE1
READ FILE1
READ FILE1
WRITE FILE1
WRITE FILE2
READ FILE1

the logs can be consolidated to

READ FILE1
WRITE FILE1
WRITE FILE2
READ FILE1

Well I am tapping the FileObject->FsContext to help me with this issue.

However the other problem is caching the logs till the user mode service/app
calls for them.

Reading up the archieves and articles at OSR I found that several techniques
are there to do the same. The most benificial seems to be th inverted call
approach where the driver can ping the app when it is running ahort of
memory to get rid of the logs.

But there is no guarentee for this to work.

The other approach would be to store the logs in some file in the FS itself
( we have to deal with re entrancy problems ), or to store it to a RAMDRIVE
like device (inter driver communication), which would have the added
capability to dumo the logs to the disk once in a while.

I want to know which one of these would be the best, if I expect heavy
logging (even after consolidation).

Thanks.
–
- amitr0

OSR_Community_User · February 1, 2006, 7:03am

Circular buffer with ->Head and ->Tail pointers.

You fill it with text by advancing ->Head, and, when it becomes full
(WrapAroun (->Head + 1) == ->Tail) - then you can either a) ZwWriteFile it from
a work item, or b) send to the consumer user app/service, which is stalled
pending trying to read the log.

UNIX’s “syslogd” uses the second way.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “amitr0”
To: “Windows File Systems Devs Interest List”
Sent: Tuesday, January 31, 2006 9:25 AM
Subject: [ntfsd] FS log caching

Hi all,

I am working on a peoduct similar to filemon, only difference is the amount
of logs generated. I need not show all the READ operations corresponding to
a file, just once for a qequence.

Eg. if it is like…

READ FILE1
READ FILE1
READ FILE1
WRITE FILE1
WRITE FILE2
READ FILE1

the logs can be consolidated to

READ FILE1
WRITE FILE1
WRITE FILE2
READ FILE1

Well I am tapping the FileObject->FsContext to help me with this issue.

However the other problem is caching the logs till the user mode service/app
calls for them.

Reading up the archieves and articles at OSR I found that several techniques
are there to do the same. The most benificial seems to be th inverted call
approach where the driver can ping the app when it is running ahort of
memory to get rid of the logs.

But there is no guarentee for this to work.

The other approach would be to store the logs in some file in the FS itself
( we have to deal with re entrancy problems ), or to store it to a RAMDRIVE
like device (inter driver communication), which would have the added
capability to dumo the logs to the disk once in a while.

I want to know which one of these would be the best, if I expect heavy
logging (even after consolidation).

Thanks.

–

- amitr0

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com