locked
Log files using up disk space RRS feed

  • Question

    1. Hi,
      I've been noticing that the amount of disk space on the c drive of the SCCM server is gradually being used up. I've narrowed it down to log files being created at a rate of 1 or 2 each day that are located in
      C:\WINDOWS\system32\LogFiles (currently sits at 7GB).
      So i guess my question is
      1. Can I safely delete these log files manually? (there are currently 1 year worth of text files, 1 or 2 created daily for each day since SCCM was installed)
      2. Perhaps more importantly, do I have a problem? (everything seems to be working ok) The logs contain millions of lines with this "error" repeated over and over again. I assume this is not normal. Anyone seen this before?
    #Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status 
    2009-11-11 00:00:01 W3SVC749041787 192.168.129.53 POST /ApiRemoting30/WebService.asmx - 8530 - 192.168.129.53 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 401 1 0
    2009-11-11 00:00:01 W3SVC749041787 192.168.129.53 POST /ApiRemoting30/WebService.asmx - 8530 DOMAIN\S-FK-SCCM$ 192.168.129.53 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.1433) 200 0 0
    Monday, November 16, 2009 2:27 PM

Answers

  • If those are IIS log files, you would configure IIS logging to address that.  There are several different logging levels for IIS to overwrite as needed, etc. etc.  I'd try to tell you exactly how, but different versions of IIS might make my directions not match at all the version of IIS you are running.  Check your IIS version, and then check how to setup logging the right way.

    Temporarily of course, feel free to delete those IIS log files if you think you do not need them. (Your likely don't).  Probably just keep the most recent. As for the 401 errors; if those are in your most recent log file, no reason to keep the old ones.  Then you can start troubleshooting that, and/or contact Microsoft to see what might be going on.  (I'm a horrible Web troubleshooter, so I'm not going to try. Sorry)
    Standardize. Simplify. Automate.
    Monday, November 16, 2009 6:51 PM

All replies

  • It's normally safe to remove logs. I am unfamiliar with these exact logs in this location.



    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Monday, November 16, 2009 2:56 PM
  • OK, had another look, these are IIS logs that i assume is related to WSUS (on the same server and installed at the same time as SCCM).
    There are lots of "200" status messages that obviously mean something is happy, but the vast majority are "401" errors stated in my first post, to the extent that there are sometimes up to 50 exact same error messages every second and go on for hours non-stop, they can stop for about 10 minutes to an hour then start up again, this happens 24/7.

    i know i can switch off logging, but i'd rather have a clue as to whats going wrong. WSUS works fine, clients report back patch levels and WSUS syncs fine with MS.

    im confused as to what is happening here.
    Monday, November 16, 2009 5:19 PM
  • If those are IIS log files, you would configure IIS logging to address that.  There are several different logging levels for IIS to overwrite as needed, etc. etc.  I'd try to tell you exactly how, but different versions of IIS might make my directions not match at all the version of IIS you are running.  Check your IIS version, and then check how to setup logging the right way.

    Temporarily of course, feel free to delete those IIS log files if you think you do not need them. (Your likely don't).  Probably just keep the most recent. As for the 401 errors; if those are in your most recent log file, no reason to keep the old ones.  Then you can start troubleshooting that, and/or contact Microsoft to see what might be going on.  (I'm a horrible Web troubleshooter, so I'm not going to try. Sorry)
    Standardize. Simplify. Automate.
    Monday, November 16, 2009 6:51 PM
  • I've occasionally used FORFILES.EXE to deal with these.  e.g.

    at 12:00 /EVERY:Su Forfiles.exe -p C:\WINDOWS\system32\LogFiles\W3SVC1 -m *.log -d -30 -c \"Cmd.exe /C del @path\"

    This will run every Sunday, and will delete files older than 30 days in the LogFiles\W3SVC1 folder.  Tweak to suit.
    Regards,
    Tom Watson,
    E-Mail: Tom_...@...
    Blog: http://myitforum.com/cs2/blogs/tom_watson
    Tuesday, November 17, 2009 4:16 PM