Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > FIM: configuring driver without LEM WebConsole

FIM: configuring driver without LEM WebConsole

Created by Randall Harwood, last modified by MindTouch on Jun 23, 2016

Views: 7 Votes: 2 Revisions: 7

Overview

 

There are several parameters at our disposal to leverage FIM driver.  Under certain circumstances (e.g. customer requirements to fine-tune the driver's default behavior) we need to alter these parameters with more of a hands-on approach.

Environment

  • Before we go in details, few notes to remember:

    1) FIM driver's entire configuration resides inside Windows Registry in following Registry Key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWFsFltr\

    The quickest way to change driver's parameters is to work directly with Registry via Windows Registry Editor. Although only the driver Registry Key will be affected you should exercise caution when working with Registry.

    2) Advise backing up (Exporting) whole driver key before editing it.

    3) Administrative privileges required to change Registry.

 

Resolution

  1. List of FIM driver parameters

    The following parameters appear as Registry Keys inside the driver subkey. They may or may not be appear in Registry (default values are not visible in registry):

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWFsFltr\Parameters

    Name

    Type

    Description

    Value assigned by agent (default)

    LogBufferSize

    REG_DWORD

    Controls the size (in Kb) of buffer allocated in memory prior to store data before writing it into the log file

    64

    FSLogFileLocation

    REG_SZ

    Driver output directory for storing File System logs (FIM File and Directory Connector reads this directory). Do not edit this value manually!

    C:\ProgramData\Solarwinds\LEM\FIMLogs

    RegLogFileLocation

    REG_SZ

    Driver output directory for storing Registry logs (FIM Registry Connector reads this directory). Do not edit this value manually!

    C:\ProgramData\Solarwinds\LEM\FIMLogs

    LogFlushTimeout

    REG_DWORD

    Controls timer for writing data into logs after periods of time.

    10

    MaximumLogFileSize

    REG_DWORD

    Sets maximum size (in Mb) log files can reach before writing to another log file

    5

    MaximumLogFolderSize

    REG_DWORD

    Sets maximum size (in Mb) log folder can reach before rotating logs (remove old logs to free space for new ones).

    2048

    FSWatchElementList

    REG_BINARY

    Stores watched files and directories names as well as tracked operations and mask. Do not edit this value manually!

    (depends on connector config)

    RegistryWatchElementList

    REG_BINARY

    Stores watched registry keys and values names as well as tracked operations and mask. Do not edit this value manually!

    (depends on connector config)

    * Values in italics do not appear in Driver Registry Key (defaults used).

     

    Additionally few more important values located in Driver parent key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWFsFltr\

    Name

    Type

    Description

    Start

    REG_DWORD

    Controls driver behavior on agent machine boot. Corresponds to "Enable Driver on Agent Startup" in LEM WebConsole.

    0x2 – auto-load on OS boot

    0x4 – do not load on OS boot

    Version

    REG_SZ

    Stores version of current driver installed. LEM 6.1.0 agent comes with 1.1.0.14

Cause 

Details on parameters:

FSLogFileLocation & RegLogFileLocation are preset with location that matches that listed in FIM Connector in Web Console. While it is possible to change this value by hand we advise against it. In case you require FIM log folders to change you should follow separate procedure. 

From LEM User Guide:

To manually change the log file location:

  1. Enter or paste the correct path in the Log Directory field.
  2. Stop the Agent.
  3. Manually update the Agent's spop.conf property:
    com.solarwinds.lem.fim.minifilter.fsLogLocation=
    for a file and directory connector. This appears as %SystemDrive%\\Mylocation\\FileSystem in the config file.
    com.solarwinds.lem.fim.minifilter.registryLogLocation=
    for a registry connector. This appears as C:\\My other log location\\Registry in the config file.

4. Restart the Agent.

MaximumLogFolderSize indicates maximum space FIM log directory can take. Once this size is reached oldest log file will be removed for newest log folder to take its place. The default is 2Gb size. Note that this value should be at least 5 times greater than maximum of single log file size (or MaximumLogFileSizewhich be default is 5 Mb. In case this condition is not met, driver will disregard registry value and assign value matching this criterion. Generally it's better to keep the file size at default (small files put pressure on file writes and log reader; big ones are cumbersome to deal with).

FSWatchElementList & RegistryWatchElementList should not be edited by hand. Leave these to Connector configurations done via Web Console (or check below for more info).

LogFlushTimeout handled the timer on which FIM flushes collected data from buffer into the file. Driver performs the writes on either of conditions:

  • Buffer is filled with events (high load of occurring events)
  • On timer (useful when load is small and buffer fills up slowly)

This behavior was introduced to reduce driver's impact on OS (frequent writes put pressure on disk therefore the timer while we still require quick reaction when event load is high therefore the buffer flush). Note: 10 seconds is default and minimum allowed for the LogFlushTimeout.

 

How to set or change Registry values of FIM driver

  1. Stop the FIM driver on agent machine (WebConsole's Manage->Nodes->FIM driver Control dropdown)
  2. Login to agent machine with admin user
  3. Stop agent service
  4. Start Registry Editor (Run->regedit)
  5. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SWFsFltr\Parameters
  6. Change or add any required parameter by creating correctly named Registry Value with matching type and assigning necessary value (see above)
  7. Save changes
  8. Start agent service and start FIM driver

From this point, changes should apply with driver acting in accordance to set parameters.

 

Last modified
20:00, 22 Jun 2016

Tags

Classifications

Public