High cpu load in services.exe when doing event log tests

rbartels · Post by **rbartels** » Thu Feb 09, 2006 8:47 am

I have two domain controllers that also have MOM installed (Microsofts mOnitoring package) Both Domain controllers are usually running around 10% CPU utilization with MOM and Hostmonitor running. I only have the rma agent installed on the domain controllers. I have several tests setup, services, disk space, cpu, perf mon for bandwidth etc.

When I turn on 2 eventlog tests (looking for security group additions) the cpu load goes to 100% with services.exe taking up almost 70%, rma taking up 20%. I have to manually stop the service once the cpu is bound. Disabling the tests doesn't stop the high cpu load. Restarting the service and starting the monitoring with the 2 event tests disabled leaves the machines at around 10% utilization.

It seems to be related to the event log test exclusively. I am running the tests from the rma on the domain controller and not from hostmonitor itself which sits on a different machine. The other 4 domain controllers have no issues but they aren't installed with MOM.

Domain Controllers are Windows 2003 Sp1 all patches.
Hostmonitor is 5.70 and the rma is 3.15

Anyone have a cluepon for me? I really need to look for the security events on those two DC's, infact those two tests are more important than the others.

Thanks

Bob

Yoorix · Post by **Yoorix** » Thu Feb 09, 2006 9:40 am

Please provide more information about eventlog tests.

As you have written above, you check security log, right?

What event source do you check exactly?
What alert conditions do you set?

Is MOM monitoring security log too?

Have new records been added into security log after HM has check it?

Regards,
Yoorix

rbartels · Post by **rbartels** » Thu Feb 09, 2006 11:21 am

Security log -> From the local computer
Event type Error, Success or Failure
Event Id's 665, 655, 650, 660, 632, 636
Descriptions "Domain Admins", "Schema Admins", "Exchange 2003 Full Administrators", "Enterprise Admins

Quick ? - Is there any difference from running the event log monitoring from the installed RMA or from hostmonitor. If I use the localrma and put in the server name is this causing more work for hostmonitor?

Is MOM monitoring the security Log NO
In fact I have 4 other DC's with the same config. The other 4 have no issues.

*****
Removing MOM didn't solve the issue
*****

Note: Auditing is turned up on this DC. The logfile was set at 128MB and was full to the point that it was being overwritten i suppose.

Clearing the security log has fixed the CPU load issue.

Is there a limit on the size of the Security log for Hostmonitor?

Thanks

Bob

KS-Soft · Post by **KS-Soft** » Thu Feb 09, 2006 12:09 pm

Quick ? - Is there any difference from running the event log monitoring from the installed RMA or from hostmonitor. If I use the localrma and put in the server name is this causing more work for hostmonitor?

HostMonitor and RMA uses the same code so result should be the same.

Is there a limit on the size of the Security log for Hostmonitor?

Not really. HostMonitor can handle up to 2,147,483,647 records.

When problem appears, HostMonitor shows "Checking..." test status for a long time?
May be its another appearance of this problem

The problem related to NT Event Log test method has been fixed: when HostMonitor calls Windows API to format event description, Windows does not check the accordance between the number of variables in a template (that is stored in resource file) and the number of variables stored in an event log. This could lead to access violation errors when some software was installed or updated incorrectly (e.g. version mismatch between different DLLs) Now HostMonitor checks the template (retrieved from the DLL) and verifies the number of insertion strings before calling Windows function

Could you try to install version 5.82?

Regards
Alex