vector-sec
commented
3 years ago Hey @Garthenag can you provide some more information about the environment such as CPU/Memory specs and the version of Windows that is being used?
Open Garthenag opened 3 years ago
vector-sec
commented
3 years ago Hey @Garthenag can you provide some more information about the environment such as CPU/Memory specs and the version of Windows that is being used?
Garthenag
commented
3 years ago Hello @vector-sec ,
I have found a culprit of the memory usage, it seems that when the TA_ETW is unable to send logs fast enough, it will start caching data in memory. Since the issue only appeared on the servers that were unable to send the logs to indexers Or where the load was really high.
Regarding the second issue you have closed, I also have found a root cause. It seems the addon was unable to properly shut down itself and left opened Data collector set, which prevented the TA_ETW to access the DNS logs after the restart. It happened on the server with high memory usage, so you might be right they are related.
Hello,
we have installed the app on a few of our DC and we were able to start pulling the logs on some of them. Unfortunately on about ~50% of servers the TA_ETW process consumes enormous amounts of memory (up to 30GB).
Regards, Dawid