Closed billylepandaroux closed 4 years ago
Which function are you using with what settings?
Thanx for your quick answer i use evotec's Monitoring Active Directory Changes on Users and Groups with PowerShell which use Get-EventsLibrary https://evotec.xyz/monitoring-active-directory-changes-on-users-and-groups-with-powershell/ https://evotec.xyz/get-eventslibrary-ps1-monitoring-events-powershell/
How big are your security logs?
security logs size was at 4gigs i changed it to 1, i'll be fixed tomorrow
There are a few things I can recommend:
Finally, my favorite - enable log forwarding. Since you enable log forwarding of only crucial events for your reporting - all your DC's will send all their events you're interested in (and only those to ForwardedLog). This means you query just one log, one time. For me, it changed some queries from 15-60 or more minutes to 1minute and 15 seconds.
thanx again 👍 Script is actually launched by another VM. And since i limited the security logs size to 1gb, DCs have more free RAM.
but i still bother me that after running the script, DCs keep the file in memory as mapper :
Well not sure if we can do anything about it. It must be by design of Security Log to make logs quickly available. You should use forwarding then. Forward all relevant logs to your VM and it shouldn't query DC's at all. DC's will be sending new events as they come to your VM. Additional benefit is that you can get it to send information LIVE to your team as things happen.
i'll check that, thanx again 👍
Hi,
Your script is amazing but i've some memory issue. After script execution, RAM on DC is full at 98%
I used RAM MAP and it shows that security.evtx is still in active memory (as mapped file)![RoyalTS_7mMpbgO67L](https://user-images.githubusercontent.com/56294861/66382843-30997e80-e9bc-11e9-8f87-80a0a3563463.png)
your help would be appreciated.
best regards