Forum Discussion
High CPU/Memory utilization using WMI to read Security Event log
Hi Tech Community, We have 2 systems that read the Security Event log of our three 2012 R2 DC's, a SIEM (Sentinel) and Netwrix account lockout examiner (these have been operational for many years ...
Did you get anywhere with this issue? we have the same issue
scottystunz :
we ended up compromizing with the infrastructure team by dropping the security.evtx to 2gb, they get some ram back, at the expense of loosing a bit of retention.
noted that some of the events in theres are cherry picked to be sent to SIEM.
the only theory of why it work like this is to be able to continue logging events if the system lose access to disk writes. that way, you can scrape the RAM for the latest evtx in forensic situations.