ntevl - seems to be scanning security log, even though it has been removed from the config.
security_pos entry still seems to also be in the ntevl.pos file. Should this be removed.?
file replication service_pos = 0
dns server_pos = 56902
security_pos = 144599023
directory service_pos = 11176
application_pos = 69226
system_pos = 297817
and the ntevl.log shows lots of:
Apr 15 11:38:17:607  ntevl: Event skipped: AutoCertEnrollFailed6: Security: 144881304
Apr 15 11:38:17:607  ntevl: Event skipped: DCCertificateEnrollFailed13: Security: 144881304
Apr 15 11:38:17:607  ntevl: Event skipped: 5827-ADEvent: Security: 144881304
Even though those profiles are configured to use other logs example System/Application.
Release : 20.3
Component : UIM - NTEVL4.32 T6
In the ntevl logs for security all the events are skipped i.e., no matching profile is found.
The security events should stop after some time ( could be some hours depending on earlier security event volume it was monitoring) after removing this from being monitored in ntevl gui i.e log files to be monitored
Also good practice to enable the backup position feature.
If you enable backup the ntevl will backup the position file at the configured interval, during the probe restart on reading .pos files it picks up the last updated file.
(It holds the last position)
The probe keeps the backup of the position file during unexpected system reboot or system crash.
In such cases, reboot alarms occur, but it is possible to get duplicate alarms for the specified time interval.
If security logs to be monitored are removed from ntevl config ,even then it will be inside ntevl.pos file.
But value assigned to security_pos e.g.security_pos = 144599023 will not change i.e it remains same.
If security_pos. is removed will get old or duplicate alarms.