Link to home
Create AccountLog in
Avatar of SOMLLPIT

asked on

How do we fix high cpu usage on a Domain Controller due to Windows Event Log service?

I have Windows 2012 R2 Domain Contollers. Two of them have been experiencing hig cpu usage in the last month or so. The problkem stems from overwriting entries in Windows Security Log, when I clear the Log the cpu gets down to normal levels. Any ideas how to fix this other than clearing the logs every day?
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Check the events for what is filling them up so fast.
Avatar of SOMLLPIT


Here is how my default domain controller audit polices are configured.
The settings that you have are normal. I have even configured more options than you have and it works completely fine in my environment.

What I would suggest is find out what events are being generated, adnd then based on the events find the source node and correct the issue.

I would think that there is an account of some sort that is continually getting locked out.

I checked the events and indeed found a few accounts locking all the time and filling up the logs quickly, eliminated a couple of them and looks better now.
Ok that is great news! This is why it is good to have an application that does reporting for Active Directory. You can view real time lockouts and be proactive about this issues.

I corrected those accounts and I also scaled back on the Default Domain Policy auditing but I still get high cpu on a couple of my Domain Controllers still due that same process:
Is there anything else you recommend to do?
What anti-virus are you running?  Is this a VM?  Are you running any VM optimizers?  I am seeing the same issue and am studying this with procmon and see something "X" causing the event log service to read the entire security log file which is problematic if it is very large. Clearing or archiving the log temporarily makes the problem seem much smaller but the problem becomes more and more noticeable as the event log (in this case the security log) grows and grows and grows.  "X" has to be a filter driver (do an fltmc command) or a bug in the event log service (extremely unlikely).