High CPU and RAM Utilization

Tags: cpu | netwrix | ram | security

#1 Anon4343

Have you noticed performance issues with the Windows Event log service when a log file size is set to a few GBs? I'm not sure if NXLog is a factor, but perhaps it may sometimes struggle with large event logs?

We have our security event log set to 4 GB size on all servers. I've noticed that there are high CPU and RAM utilization on 5 or 20 minute cycles. The process using the CPU is svchost EventLog. Derived from using Resource Monitor and running:

tasklist /svc /fi "imagename eq svchost.exe"

I used Sysinternals RanMap to see that the security log file was using 4 GB of RAM stored in the Mapped File listing.

We're not seeing this issue on all of our servers. But it was strange when a production and staging server with very similar loads experienced drastically utilizations. The utilization didn't match until the affected server had its security log cleared. There are not a lot of events being generated. 4 GBs of events goes back to over 30 days. The 4 GB setting is a recommended server configuration when using NetWrix Auditor.

The biggest difference is the amount of standby vs active memory allocated to the security log. On affected servers, the active memory will be 4 GB. On unaffected servers, the standby memory will be 4 GB.

Thank you in advance for any pointers.

#3 NenadM
#1 Anon4343
Have you noticed performance issues with the Windows Event log service when a log file size is set to a few GBs? I'm not sure if NXLog is a factor, but perhaps it may sometimes struggle with large event logs? We have our security event log set to 4 GB size on all servers. I've noticed that there are high CPU and RAM utilization on 5 or 20 minute cycles. The process using the CPU is svchost EventLog. Derived from using Resource Monitor and running: tasklist /svc /fi "imagename eq svchost.exe" I used Sysinternals RanMap to see that the security log file was using 4 GB of RAM stored in the Mapped File listing. We're not seeing this issue on all of our servers. But it was strange when a production and staging server with very similar loads experienced drastically utilizations. The utilization didn't match until the affected server had its security log cleared. There are not a lot of events being generated. 4 GBs of events goes back to over 30 days. The 4 GB setting is a recommended server configuration when using NetWrix Auditor. The biggest difference is the amount of standby vs active memory allocated to the security log. On affected servers, the active memory will be 4 GB. On unaffected servers, the standby memory will be 4 GB. Thank you in advance for any pointers.

Hello Anon4343

The nxlog service shouldn't have any difficulties with reading or writing the log files with size set to a few GBs. I can't really tell what exactly is causing this issue based on your description but if there's a problem with the NXLog CE then some internal logs should be recorded. Also, it could help if you share your nxlog configuration file (or some parts of it).

In case the log file size causes a problem with some other Windows OS process or service, here is the link to the documentation page that describes how the file rotation works: https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#om_file_config_example_rotate1