http://technet.microsoft.com/en-us/library/cc778402%28WS.10%29.aspx
All of the current versions of Windows
have an architectural limitation with
regard to memory-mapped files: no
process can have more than 1 GB of
memory-mapped files in total. This
limitation means that all of the
services that run under the
Services.exe process must share the
1-GB pool
I think that's is the cause.
If you need extensive logging, use some method to archive old logs before they're overwritten?
This is indeed quite surprising, leave it Microsoft to make a feature worse. In some ways this is not a surprise.
I believe that you can "monitor" the status of the RAID using the diskpart utility. For some example commands see http://www.techotopia.com/index.php/Creating_and_Managing_Windows_Server_2008_Mirrored_%28RAID_1%29_Volumes.
I don't have a 2008 software raid myself unfortunately, but I can only imagine that the output of list volume will indicate when a drive is offline or in a faulty state. An example output of list volume looks like this
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E DATA NTFS Simple 931 GB Healthy
Volume 1 D DVD-ROM 0 B No Media
Volume 2 System Rese NTFS Partition 100 MB Healthy System
Volume 3 C BOOT NTFS Partition 138 GB Healthy Boot
Volume 4 F FreeAgent G NTFS Partition 1863 GB Healthy
You simply create an text file with the content being
list volume
and then run it like
diskpart /s file.txt
You could then pipe the output to a file and parse it with a script, and generate an email or event log entry. You would need to run this script every X minutes, e.g. with the task scheduler.
You could use EventSentry (free version available) and its application scheduler to execute this script, and generate an event/email, but you would still have parse the output from diskpart to determine whether there is a problem or not.
Edit: The status of a failed RAID in Windows is "Failed Rd" opposed to "Healthy". As such, searching for "Failed Rd" should work. Example:
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 C BOOT NTFS Mirror 931 GB Failed Rd Boot
I'll do some experimenting with this in the future to come up with a better answer and write a blog entry, I had no idea that Microsoft dropped the ball on this.
Best Answer
My solution for these tasks is to use OSSEC and configure an active-response when a desired event triggers. It is partially similar to your idea (using the logs), but with a much stronger framework and easily extensible...
Link: http://www.ossec.net