Hi all,
Running SAM v5.5 for 2 weeks and notice that polling a node using WMI polling fills up the MS security log on a monitored server very quickly.
Any pointers on how to remedy this is greatly appreciated.
It's likely that you have auditing enabled on that server for successful logon events. If these events are excessive and unwanted I would recommend changing the audit policy on your monitored servers to only log failed login events.
Thank you for the reply. The auditing is the default setting for Windows server OS and group policy.
My question is why is SAM causing an event in this log 5-6 times a minute with polling set to every 10 minutes? I am surprised this hasn'y been mentioned in the forum before.
Each component monitor within a template functions independently of the others. Hence why you can define credentials on a per-component monitor basis. With Windows auditing enabled each component monitor will generate one successful login and one successful logout event in the security event log each time it's polled.
Agreed! So how do I reduce the amount of polling so the login events are reduced? I have already upped the interval to 600 seconds from default 300 and it seems to have no effct on the every minute, 5-6 events?
