Hi Steve,
I too had the same issue – excessive CPU utilization on my Win2K3 boxes.
I also found a way to fix the problem.
First, I have to say that all versions from 1.8.3, 1.7.2, 1.7.1 down to 1.7.0b that I tested are affected, so it is not a version specific problem. Also, it is not related to filter definitions, their number or complexity. As a matter of fact it is not really a nagevlog problem at all.
What I first found out on the systems that were affected in my case, is that the Security Event Log was constantly filled by hundreds of events of two types (copies are at the bottom of the post) and they are the reason for the high CPU utilization.
These two events were created for three reasons:
- In the ‘Local Security Policy’\‘Audit Policy’\‘Audit Object Access’ I configured both Success and Failure. Default setting is to audit Failures only. (this chnage is recommended security setting for all Windows servers that are Internet facing, or need to be highly secured)
- As a part of Windows installation, auditing is configured for the registry key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security and subkeys
- nagevlog keeps accessing this key excessively
So to fix the problem you can either disable auditing for Successful Object Access in the Local Security Policy (not in my case), or disable auditing for the registry key (this should not be done ), which I temporarily did on my staging systems. This instantly reduced CPU utilization from 60-70% to 3-4%.
So the only question is - Why is this key so excessively accessed and probably modified – can that be changed in the next release?
Thanks
=======================================================================
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 13/12/2007
Time: 20:50:21
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXXX
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security\Security
Handle ID: 180
Operation ID: {0,2288220020}
Process ID: 7068
Image File Name: C:\Program Files\Monitoring\nagevlog.exe
Primary User Name: XXXXXXXXXX$
Primary Domain: XXXXXXXX
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Privileges: -
Restricted Sid Count: 0
Access Mask: 0xF003F
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
And
==================================================================
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 13/12/2007
Time: 20:50:21
User: NT AUTHORITY\SYSTEM
Computer: XXXXXXXXXX
Description:
Handle Closed:
Object Server: Security
Handle ID: 180
Process ID: 7068
Image File Name: C:\Program Files\Monitoring\nagevlog.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==========================================================================
Login
Register
FAQ
Members
