Forum Discussion
High CPU/Memory utilization using WMI to read Security Event log
Hi Tech Community, We have 2 systems that read the Security Event log of our three 2012 R2 DC's, a SIEM (Sentinel) and Netwrix account lockout examiner (these have been operational for many years ...
Did you get anywhere with this issue? we have the same issue
scottystunz :
we ended up compromizing with the infrastructure team by dropping the security.evtx to 2gb, they get some ram back, at the expense of loosing a bit of retention.
noted that some of the events in theres are cherry picked to be sent to SIEM.
the only theory of why it work like this is to be able to continue logging events if the system lose access to disk writes. that way, you can scrape the RAM for the latest evtx in forensic situations.- Hi Scotty,
Unfortunately no, we upped the server specs for all our DC's, doubled CPU to 4 and increased memory by 4GB, which isn't much of a big deal in itself, however it adds extra load to our virtual infrastructure. But, our DC days are numbered, as we will be transitioning to cloud over the next 12 months.
Cheers
Mark
