Tuesday, August 5, 2008

[THIN] Re: Sifting thru the data

Thank you very much for all this.
 
 


From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Rick Mack
Sent: July 20, 2008 3:01 AM
To: thin@freelists.org
Subject: [THIN] Re: Sifting thru the data

Hi Doug,
 
I did this a few years ago for a cutomer having severe disconnection problems which ended up being due to a slightly bent Cisco router.
 
I used dumpel (Windows resource kit) to seive through the eventlogs to get all the logon disconnection/connection data and dump it as a csv file. Then there was a batch file with a for loop that cleaned things up so it ccould be imported into Excel and graphed.
 
The idea was to combine all the logs, sort on data so you could see the distribution of disconnections, on a server, time and user basis. That should let you narrow down on the cause of the problem.
 
This is the stuff I had in my notes:
 
Events extracted from event logs.
 

Security

Security

Logon/logoff

682

Session reconnected

Security

Security

Logon/logoff

683

Session disconnected

System

TermService

None

9007

Autoclient reconnect

System

TermService

None

9006

Autoclient failed (cookie)

 

The following 2 command lines were used to extract these events in comma delimited format from the security and system logs on the farm servers.

For /f %i in ('qfarm /load ^| find /I "tml"') do dumpel –s \\%i –l security –m security –e 682 683 –c >> farm_seclog.txt


For /f %i in ('qfarm /load ^| find /I "tml"') do dumpel –s \\%i –l system –m termservice –e 9007 –c >> farm_syslog.txt


The stuff we extracted were things like:
 
 

Top Ten Affected Users


User

WS Type

IP Address

ICA client build

Disconnects

cdraper

PC

10.1.2.162


90

charris

WT

10.1.4.174

931

100

dmorris *

PC

10.1.2.163

21825

250

gbousgas

PC

10.1.1.162

1050

137

jelder

PC

10.1.1.169

21825

156

kdoyle

PC

10.1.2.168

21825

117

mmckavanagh

PC

10.1.2.163


115

mparry

PC

10.1.1.167


75

scarter

PC

10.1.2.170

21825

235

tpratt

PC

10.1.2.165

21825

125

We also did a disconnections by site and disconnections by server frequency. As stated earlier, it turned out to be a router at head office. To find that took someone doing network packet capture between a server and one of the most heavily affected users.

regards,

Rick


 
On 7/18/08, Stratton, Doug ISMC:EX <Doug.M.Stratton@gov.bc.ca> wrote:

We are in the process of trying to look thru our W2K3 Security logs to identify how many times clients are connecting/dropping/reconnecting again.

It seems like mountains of data and I was just wondering if there is a simple solution to gathering this data.

The sort of thing I would like something like:

UserA
        Date - logon
        Date - logoff (or other such thing, drop/disconnect…)


UserB
        ….

We are going thru this exercise because we have clients who are reporting drops and we want to get a better picture of how bad this is.

Any scripts out there or tools that can do this would be greatly appreciated.

Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000


 



--
Ulrich Mack
Quest Software
Provision Networks Division

No comments: