4
responses

Have you noticed performance issues with the Windows Event log service when a log file size is set to a few GBs? I'm not sure if NXLog is a factor, but perhaps it may sometimes struggle with large event logs?

We have our security event log set to 4 GB size on all servers. I've noticed that there are high CPU and RAM utilization on 5 or 20 minute cycles. The process using the CPU is svchost EventLog. Derived from using Resource Monitor and running:

tasklist /svc /fi "imagename eq svchost.exe"

I used Sysinternals RanMap to see that the security log file was using 4 GB of RAM stored in the Mapped File listing.

We're not seeing this issue on all of our servers. But it was strange when a production and staging server with very similar loads experienced drastically utilizations. The utilization didn't match until the affected server had its security log cleared. There are not a lot of events being generated. 4 GBs of events goes back to over 30 days. The 4 GB setting is a recommended server configuration when using NetWrix Auditor.

The biggest difference is the amount of standby vs active memory allocated to the security log. On affected servers, the active memory will be 4 GB. On unaffected servers, the standby memory will be 4 GB.

Thank you in advance for any pointers.

AskedJanuary 14, 2022 - 3:32pm

Comments (1)

  • Klevin's picture
    (NXLog)

    Hello Sir,

    Need to inform that NXLog Community Edition 3.0.2284 is now available on the download page.

    This is a minimal hotfix release addressing two critical bugs community users reported against the released NXLog CE 3.0 Windows build:

    If needed attaching the news link

    Please can you try with the new released version?

    Sincerely Klevin

Answer (1)

Hello Anon4343

The nxlog service shouldn't have any difficulties with reading or writing the log files with size set to a few GBs. I can't really tell what exactly is causing this issue based on your description but if there's a problem with the NXLog CE then some internal logs should be recorded. Also, it could help if you share your nxlog configuration file (or some parts of it).

In case the log file size causes a problem with some other Windows OS process or service, here is the link to the documentation page that describes how the file rotation works:
https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#om_file_config_example_rotate1

Comments (2)

  • Anon4343's picture

    The NXLog log is pretty small. I was thinking that perhaps the program is accessing the security log so often that Windows is keeping it in active memory. I don't see a schedule setting in the NXlog config for how often it reads from the log.

  • NenadM's picture
    (NXLog)

    Please check the documentation page:
    https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_mseventlog

    You can reduce the frequency of reading from the EventLog. The directive you need is:
    PollInterval
    This directive specifies how frequently the module will check for new events, in seconds. If this directive is not specified, the default is 1 second. Fractional seconds may be specified (PollInterval 0.5 will check twice every second).