adevl probe hangs and does not generate alarms
Article ID: 229621
Updated On:
Products
Issue/Introduction
Running multiple adevl probes in UIM domain. Only one adevl probe generates the desired alarms, and the other probes seem to hang.
Also apparent is that those probes that do not generate alarms are using excessive CPU and memory resources:
Is this a known issue? How can we start troubleshooting here?
Environment
Cause
Resolution
Upon examination of the adevl.cfg, the security logs being monitored in this particular scenario are not supported nor tested. Hence, results in such a case may prove to be inconsistent and the probe may not work as expected.
The adevl probe ONLY supports monitoring of these Domain controller logs:
"The Active Directory Events Monitoring (adevl) probe generates alerts that are based on messages from the NT event logs associated with Active Directory. The probe monitors the event logs of Directory Service, DNS Server, and File Replication Service for new messages and generates alarms according to your environment."
Potential workarounds/alternatives:
ntevl
The customer could instead try to dedicate one instance of the ntevl probe on the robot to monitor the Security log but we purposely removed the Security logs from the default ntevl configuration some time ago for similar reasons, due to overhead/load.
In general, some Windows event logs can grow to a very large size, e.g., hundreds of thousands of messages so it's not very practical nor even viable to monitor Windows event logs when they reach such a high number of events.
logmon
Alternatively, use of logmon to monitor the events log and parse specific events and generate alarms.
Additional Information
Attachments
Feedback
