Running multiple adevl probes in UIM domain. Only one adevl probe generates the desired alarms, and the other probes seem to hang.
Also apparent is that those probes that do not generate alarms are using excessive CPU and memory resources:
Is this a known issue? How can we start troubleshooting here?
Upon examination of the adevl.cfg, the security logs being monitored in this particular scenario are not supported nor tested. Hence, results in such a case may prove to be inconsistent and the probe may not work as expected.
The adevl probe ONLY supports monitoring of these Domain controller logs:
"The Active Directory Events Monitoring (adevl) probe generates alerts that are based on messages from the NT event logs associated with Active Directory. The probe monitors the event logs of Directory Service, DNS Server, and File Replication Service for new messages and generates alarms according to your environment."
The customer could instead try to dedicate one instance of the ntevl probe on the robot to monitor the Security log but we purposely removed the Security logs from the default ntevl configuration some time ago for similar reasons, due to overhead/load.
In general, some Windows event logs can grow to a very large size, e.g., hundreds of thousands of messages so it's not very practical nor even viable to monitor Windows event logs when they reach such a high number of events.
Alternatively, use of logmon to monitor the events log and parse specific events and generate alarms.