Currently, ntevl comes with three standard default monitoring logs for Windows systems, that is:
But the probe doesn't seem to be scaling well and is missing alarms.
- Security events
Monitoring 3 large log files in Windows has been noted to produce a lot of overhead or delay in large environments through the sheer amount of data being monitored/transferred. This may cause scalability issues in that, any windows event alarm that is triggered, will not be alerted on or appear in UIM after some delay, e.g., 2+ hours.
***It was noted that removing these default logs (at least 2/3) from monitoring helped immensely by improving alarm response in UIM.
The default logs are not able to be removed through the GUI, or manually from the cfg, however they can be removed using the probe's Raw Configure option.