We are using NXLog CE's im_msvistalog module to forward Windows Event Logs from the Security log, with some filtering, to an external syslog server. Functionally this works well and does exactly what we need it to.
The problem we are having is that nxlog.exe process often consumes rather high percentages of a workstation's CPU in bursts. Between 25 and 35 percent every few minutes, for around a minute at a time. This is generally too much of a performance hit and I need to find some way to resolve it.
I have already mitigated the size of the event log file that nxlog.exe is querying from by clearing the Security log entirely, so this is happening even on a system with not more than a few dozen log entries to read from. The query itself is fairly simple, it loads all Event ID 4625 entries from the Security log (these are logon failures). It then has a single command to drop any logon failures that were initiated for a computer account instead of a user account (this is done by reading the target account trying to logon, string parsing the account username to see if the final character is a "$", which denotes a computer account, and dropping the log if the "$" is found).
What can I do to mitigate the excessive CPU usage?
What I have tried so far: clearing the Windows event log that nxlog is reading from to reduce the size of the data it needs to read from disk, using UDP syslog forwarding instead of TCP, removed the parsing that dropped Event Log ID 4625 entries where the target account being logged in was a computer account instead of a user account. None of this has helped.
Edit to add: I did try writing out text logging instead of syslog forwarding. This worked but I am still experiencing the periodic excessive CPU consumption. The problem is likely in the im_msvistalog input module, I would assume.