Have you noticed performance issues with the Windows Event log service when a log file size is set to a few GBs? I'm not sure if NXLog is a factor, but perhaps it may sometimes struggle with large event logs?
We have our security event log set to 4 GB size on all servers. I've noticed that there are high CPU and RAM utilization on 5 or 20 minute cycles. The process using the CPU is svchost EventLog. Derived from using Resource Monitor and running:
tasklist /svc /fi "imagename eq svchost.exe"
I used Sysinternals RanMap to see that the security log file was using 4 GB of RAM stored in the Mapped File listing.
We're not seeing this issue on all of our servers. But it was strange when a production and staging server with very similar loads experienced drastically utilizations. The utilization didn't match until the affected server had its security log cleared. There are not a lot of events being generated. 4 GBs of events goes back to over 30 days. The 4 GB setting is a recommended server configuration when using NetWrix Auditor.
The biggest difference is the amount of standby vs active memory allocated to the security log. On affected servers, the active memory will be 4 GB. On unaffected servers, the standby memory will be 4 GB.
Thank you in advance for any pointers.