High CPU utilization after enabling Event Log Forwarding

Михаил Андросов 336 Reputation points

On the network, I have configured the forwarding of event logs to a dedicated collection server. Logs are collected in the collector initiation mode.

I have added domain controller servers to the list of servers from which logs are requested.

After that, the percentage of CPU usage on domain controllers increased significantly. Event Log Service takes approximately 60 - 70% of CPU. Together with the rest of the processes, the percentage of CPU time occupied reaches 90% or higher.

Why is this happening? How can I fix the situation?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,289 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 5,330 Reputation points


    High CPU utilization after enabling Event Log Forwarding can occur due to several reasons:

    Number of Connections: The memory usage of the Windows Event Collector service depends on the number of connections that are received by the client. The number of connections depends on the frequency of the connections, the number of subscriptions, the number of clients, and the operating system of the clients.

    Event Latency: As soon as events are generated on the client, the Event Forwarding mechanism takes some time to forward them to the collector. This delay may be caused by the subscription configuration, such as the DeliveryMaxLatency parameter, the performance of the collector, the forwarder, or the network.

    System Requirements: If you deploy EventLog Forwarding in a large environment (for example, you deploy 40,000 to 100,000 source computers), it is recommended that you deploy more than one collector that has 2,000 to not more than 4,000 clients per collector.

    Here are some suggestions to fix this situation:

    Update Your System: There are important scalability fixes that have been rolled out to Windows Server 2016, Windows Server 2019 in the February 25, 2020 cumulative updates.

    Switch Fetch Method: Switch the event log monitor fetch method from WMI to RPC on the remaining monitors. CPU loads should fall back to normal levels.

    Create a Trace: Create an ETL trace when the problem is happening. For example, run wpr.exe -start GeneralProfile leave it for 20-30 seconds when you have the problem and then run wpr.exe -stop C:gp.etl. Once you have the ETL file, get Windows Performance Analyzer from the Store and load the trace file.

    Remember that each situation is unique and these solutions might not apply directly to your case. It’s always a good idea to backup your system and data before making any changes.

    0 comments No comments