none
2008 R2: forwarded events - data area passed to system call is too small

    Question

  • I am trying to set up even log forwarding from about 200 Windows 7 workstations to my 2008 R2 server to make it easier to watch for workstation problems.

    Configuration:

    • I am using Collector-initiated error reporting, for all errors matching: Error, Critical, Warning
    • All the client machines have had "winrm /quickconfig" applied.
    • All the client machines have the event collection server added as a local administrator.

    However when it comes to the actual event collecting, it doesn't work.

    When I right-click on the name of a subscribed group of computers, I choose "Runtime Status" and I see this:

    • [HS-BIZLAB-DESK.cornell.schools.internal] - Error - Last retry time: 3/22/2011 3:52:34 PM. Code (0x7A): The data area passed to a system call is too small. Next retry time: 3/22/2011 4:52:34 PM.
    • HS105-GIRLSPE-D.cornell.schools.internal] - Error - Last retry time: 3/22/2011 3:49:36 PM. Code (0x7A): The data area passed to a system call is too small. Next retry time: 3/22/2011 4:49:36 PM.
    • [HS213-AGRICUL-D.cornell.schools.internal] - Error - Last retry time: 3/22/2011 3:06:57 PM. Code (0x7A): The data area passed to a system call is too small. Next retry time: 3/22/2011 4:06:57 PM
    • [HS403-MATH-D.cornell.schools.internal] - Error - Last retry time: 3/22/2011 3:08:24 PM. Code (0x7A): The data area passed to a system call is too small. Next retry time: 3/22/2011 4:08:24 PM.
    • [HS501-RESRCE-D.cornell.schools.internal] - Error - Last retry time: 3/22/2011 3:08:11 PM. Code (0x7A): The data area passed to a system call is too small. Next retry time: 3/22/2011 4:08:11 PM.

    And so forth, all the way down the line. So event collection doesn't work for some unknown reason.

    I am thinking the error is probably because this is the first time these computers will be reporting in, and they have a huge glut of old saved errors to be reported all at once.

    Tuesday, March 22, 2011 9:10 PM

Answers

  • After fiddling with this some more, it apparently is indeed because I had too many events selected during the initial join event.

    By restricting the error reporting to only "Critical - System Events", the clients were now able to successfully join with a "started reporting" event.

    I have not yet tested if I can now crank the reporting back up to the high level where I was originally trying to start from.

     

    • Marked as answer by Dale Mahalko Saturday, March 26, 2011 11:53 PM
    Saturday, March 26, 2011 11:53 PM