Have you noticed performance issues with the Windows Event log service when a log file size is set to a few GBs? I'm not sure if NXLog is a factor, but perhaps it may sometimes struggle with large event logs? We have our security event log set to 4 GB size on all servers. I've noticed that there are high CPU and RAM utilization on 5 or 20 minute cycles. The process using the CPU is svchost EventLog. Derived from using Resource Monitor and running: tasklist /svc /fi "imagename eq svchost.exe" I used Sysinternals RanMap to see that the security log file was using 4 GB of RAM stored in the Mapped File listing. We're not seeing this issue on all of our servers. But it was strange when a production and staging server with very similar loads experienced drastically utilizations. The utilization didn't match until the affected server had its security log cleared. There are not a lot of events being generated. 4 GBs of events goes back to over 30 days. The 4 GB setting is a recommended server configuration when using NetWrix Auditor. The biggest difference is the amount of standby vs active memory allocated to the security log. On affected servers, the active memory will be 4 GB. On unaffected servers, the standby memory will be 4 GB. Thank you in advance for any pointers.

We installed version 2.10.2150 and are using the standard out of box config file to sent syslogs to clone. Anything we can do to reduce CPU consumption? Here is our config file but I have removed IP for our clone server: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data <Extension _syslog> Module xm_syslog </Extension> Windows Event Log <Input eventlog> Module im_msvistalog </Input> <Output tcp> Module om_tcp Host xx.xx.xx.xx Port 514 Exec to_syslog_snare(); </Output> <Route eventlog_to_tcp> Path eventlog => tcp </Route> <Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension> <Extension _exec> Module xm_exec </Extension> <Extension _fileop> Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB &lt;Schedule&gt; Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') &gt;= 5M)) \ file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; # Rotate our log file every week on Sunday at midnight &lt;Schedule&gt; When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); &lt;/Schedule&gt; </Extension>