RAM issue - Githubissues

EvotecIT / PSWinReporting

This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.

MIT License

701 stars 69 forks source link

RAM issue #57

Closed billylepandaroux closed 4 years ago

billylepandaroux commented 4 years ago

Hi,

Your script is amazing but i've some memory issue. After script execution, RAM on DC is full at 98%

I used RAM MAP and it shows that security.evtx is still in active memory (as mapped file) RoyalTS_7mMpbgO67L

your help would be appreciated.

best regards

PrzemyslawKlys commented 4 years ago

Which function are you using with what settings?

billylepandaroux commented 4 years ago

Thanx for your quick answer i use evotec's Monitoring Active Directory Changes on Users and Groups with PowerShell which use Get-EventsLibrary https://evotec.xyz/monitoring-active-directory-changes-on-users-and-groups-with-powershell/ https://evotec.xyz/get-eventslibrary-ps1-monitoring-events-powershell/

PrzemyslawKlys commented 4 years ago

How big are your security logs?

billylepandaroux commented 4 years ago

security logs size was at 4gigs i changed it to 1, i'll be fixed tomorrow

PrzemyslawKlys commented 4 years ago

There are a few things I can recommend:

smaller Security Log (I've worked with 1GB up to 60GB log files)
choose a different machine to run the script on then your low memory DC
you could limit the number of events you ask for
you could disable parallel processing (if you run it on the same machine it queries at the same time all DC's and depending on how many events you ask for it can query 1-3 times the security/application log per one DC

Finally, my favorite - enable log forwarding. Since you enable log forwarding of only crucial events for your reporting - all your DC's will send all their events you're interested in (and only those to ForwardedLog). This means you query just one log, one time. For me, it changed some queries from 15-60 or more minutes to 1minute and 15 seconds.

billylepandaroux commented 4 years ago

thanx again 👍 Script is actually launched by another VM. And since i limited the security logs size to 1gb, DCs have more free RAM.

but i still bother me that after running the script, DCs keep the file in memory as mapper :

PrzemyslawKlys commented 4 years ago

Well not sure if we can do anything about it. It must be by design of Security Log to make logs quickly available. You should use forwarding then. Forward all relevant logs to your VM and it shouldn't query DC's at all. DC's will be sending new events as they come to your VM. Additional benefit is that you can get it to send information LIVE to your team as things happen.

billylepandaroux commented 4 years ago

i'll check that, thanx again 👍