search

SwiftOnSecurity / sysmon-config

Sysmon configuration file template with default high-quality event tracing
4.73k stars 1.69k forks source link

Sysmon performance issues #131

Closed Cappucinoes closed 3 years ago

Cappucinoes commented 4 years ago

Greetings gentlemen,

I have 3CPU/6GB Virtualized Win 10 machine running Sysmon v11.10 with tweaked SwiftOnSecurity xml config (about 1155 lines long)

In IDLE the CPU seems to behave normally, once I try to do some activity (i.e. opening Excel, running PowerShell, opening browser, Word..) the CPU usage from sysmon.exe process shoots up as high as 40 - 45 %. It seems once events are written to the windows log, cpu utilization drops.

So my question is - what could be the culprit for the high CPU utilization? How can one improve Sysmon's performance?

The CPU strikes to 45% even if there are not many events written to the logs (1 or 2 events written to the log cause 4 seconds of 45% CPU from sysmon.exe)

Should writing to the windows log be so exhaustive for the CPU?

Thank you for any tips!

jean-bon commented 4 years ago

Hi

A few ideas

a) By using "end with" instead of "contains", you can save performance by starting a string search at the end of a line - the "match" is usually triggered earlier. b) Pay attention to ImageLoad which can be CPU consuming c) And a last one coming from TRUSTEDSEC SYSMON COMMUNITY GUIDE https://www.trustedsec.com/tools/trustedsec-sysmon-community-guide/ on github :

anthony

Le jeu. 10 sept. 2020 à 13:20, Cappucinoes notifications@github.com a écrit :

Greetings gentlemen,

I have 3CPU/6GB Virtualized Win 10 machine running Sysmon v11.10 with tweaked SwiftOnSecurity xml config (about 1155 lines long)

In IDLE the CPU seems to behave normally, once I try to do some activity (i.e. opening Excel, running PowerShell, opening browser, Word..) the CPU usage from sysmon.exe process shoots up as high as 40 - 45 %. It seems once events are written to the windows log, cpu utilization drops.

So my question is - what could be the culprit for the high CPU utilization? How can one improve Sysmon's performance?

The CPU strikes to 45% even if there are not many events written to the logs (1 or 2 events written to the log cause 4 seconds of 45% CPU from sysmon.exe)

Should writing to the windows log be so exhaustive for the CPU?

Thank you for any tips!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/131, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFK2XIWNX6E3ZBR4XELVIZ3SFCY7BANCNFSM4RE2LTNA .

cyberkryption commented 4 years ago

Dear All, I have seen 11.10 run up to 60% of vpu on a customers customer's deployment. However, if we reverted 10.0 / 10.1 with the same config the issue does not occur.

I have also tried 10.4 with no issyes as well. Additionally, i found that sysmon 11.10 stopped sending id3 event logs on all machines, there is an msdn forum post from July about it.

I think 11.10 may have a memory leak issue or something else as i have never seen it stop sending events.

Cyberkryption

On Thu, 10 Sep 2020, 12:20 Cappucinoes, notifications@github.com wrote:

Greetings gentlemen,

I have 3CPU/6GB Virtualized Win 10 machine running Sysmon v11.10 with tweaked SwiftOnSecurity xml config (about 1155 lines long)

In IDLE the CPU seems to behave normally, once I try to do some activity (i.e. opening Excel, running PowerShell, opening browser, Word..) the CPU usage from sysmon.exe process shoots up as high as 40 - 45 %. It seems once events are written to the windows log, cpu utilization drops.

So my question is - what could be the culprit for the high CPU utilization? How can one improve Sysmon's performance?

The CPU strikes to 45% even if there are not many events written to the logs (1 or 2 events written to the log cause 4 seconds of 45% CPU from sysmon.exe)

Should writing to the windows log be so exhaustive for the CPU?

Thank you for any tips!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/SwiftOnSecurity/sysmon-config/issues/131, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWYQ3BE45FMRA6673GMU2DSFCY6HANCNFSM4RE2LTNA .

Cappucinoes commented 3 years ago

Hello all,

it seems updating my config with the latest SwiftOnSecurity xml template + getting rid of ImageLoad events from custom rules resolved the issue.

Many thanks for your help.