While the log file collector is collecting, CPU usage stays at 90% or more.
Symptoms You have enabled Dynamic log files, there are multiple large logs and the CPU usage is very high.
This is a known issue with the MonitorDynamicLog setting in the Log File sensors. With DynamicLogFile the sensor must load the logs that are in that directory. If there are a lot of logs in the target log directories, it uses more resources to load them.
There are several ways to resolve this problem.
Set the sensor to monitor Single Log Files only Set the sensor to monitor Single Log Files only. This setting will cause the sensor to only monitor the active log file. As new events are added to the active log file, they are read by the sensor.
Log in to the SSIM Console as administrator
Click Product Configurations
Expand the collector configuration
Open up each sensor
In "reading mode" choose: MonitorSingleLogFile
In Log file name enter the name of the actual log file, <logfilename>
active.csv (example: Failed Attempts active.csv)
Save and distribute the sensor settings
Using DynamicLogFile In order to continue using DynamicLogFile, you must cut down on the logs that are being processed. You must move logs that have already been processed or irrelevant logs to another directory to reduce the CPU consumption.
Stop the Sesa agent.
In Windows Explorer navigate to the target log file folders for the log types you are collecting.
Move any logs that have already been processed.
Move any logs which are too old to be relevant.
Restart the sesa agent.
Make a routine to move the old logs from this folder periodically.
Another option is to follow KB TECH173421 (see reference at bottom)
Imported Document ID: TECH92007
Subscribing will provide email updates when this Article is updated. Login is required.