The WMI service maintains text log files for all operating systems earlier than Windows Vista and Windows Server 2008. These log files are stored in the %SystemRoot%\System32\WBEM\Logs folder. The log files include:
- Wbemcore.log
- Wbemess.log
- Mofcomp.log
- Wmiadap.log
- Wbemprox.log
- Framework.log
- Winmgmt.log
Most of these log files are configured to automatically wrap every 64KB. When the log file reaches this limit, it is renamed to logfile.lo_ and a new log file is created. Unfortunately, this does not happen with the Framework.log file - it will continue to grow indefinitely. This came to light recently at a client site when the backup team noticed that this file was taking a very long time to back up on Exchange servers. The Framework.log files on these servers exceeded 800MB.
Microsoft wrote a TechNet support article, "The Framework.log file grows larger than 64 KB when you use WMI on a Windows Server 2003 or Windows XP computer," which explains that this is due to permissions problem with the Network Service. As the article explains, the fix is to grant the Network Service account the Delete right on the %SystemRoot%\System32\WBEM\Logs folder.
Here's how to do this for all machines in the domain using Group Policy:
- Edit the appropriate Group Policy object for the managed computers. I used the Default Domain Policy.
- Navigate to Computer Configuration, Windows Settings, Security Settings, File System
- Right-click File System and select Add File...
- Navigate to the %SystemRoot%\System32\WBEM\Logs folder and click OK. A security window will appear.
- Add the LOCAL SERVICE and NETWORK SERVICE accounts, giving both accounts only Read and Write permissions.
- Click the Advanced button.
- Clear the "Inherit from parent the permission entries that apply to child objects" checkbox.
- Select the NETWORK SERVICE account and click Edit.
- Check Delete under the Allow column and click OK. Repeat for the LOCAL SERVICE account.
- Click OK four times to close all the dialog boxes.
The new security settings will be enforced on target computers on the next Group Policy refresh. After that, the large Framework.log file will be renamed to Framework.lo_ and a new Framework.log file will be created. Once that new logfile grows beyond 64KB it will replace the large file.
No comments:
Post a Comment
Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.