Hi all,
Running SAM v5.5 for 2 weeks and notice that polling a node using WMI polling fills up the MS security log on a monitored server very quickly.
Any pointers on how to remedy this is greatly appreciated.
It's likely that you have auditing enabled on that server for successful logon events. If these events are excessive and unwanted I would recommend changing the audit policy on your monitored servers to only log failed login events.
Thank you for the reply. The auditing is the default setting for Windows server OS and group policy.
My question is why is SAM causing an event in this log 5-6 times a minute with polling set to every 10 minutes? I am surprised this hasn'y been mentioned in the forum before.
Each component monitor within a template functions independently of the others. Hence why you can define credentials on a per-component monitor basis. With Windows auditing enabled each component monitor will generate one successful login and one successful logout event in the security event log each time it's polled.
Agreed! So how do I reduce the amount of polling so the login events are reduced? I have already upped the interval to 600 seconds from default 300 and it seems to have no effct on the every minute, 5-6 events?
The image above references the node polling cycle, not application polling. To modify the frequency in which applications are polled edit the assigned application for that node and change the "Polling Frequency" as pictured below. This can also be done at the template level.
Thank you again! So I have also turned the pooling down on App templates used to 600 from 300. But that still does not explain the 5 events per minute.
The only way I found to eliminate those events was to delete a node from being monitored by SAM. Apps seem to have no effect on the frequency of security events, only node monitoring of CPU, memory, drives and NICs.
Nodes, Volumes, and Interfaces each have their own polling rate. The value you changed in your screenshot above was for ICMP node status. Node statistics (CPU/Memory/Hardware Health) are polled every 10 minutes, volumes ever 15min, and interfaces every 9. That means that each of these polls operate independently of one another at different polling intervals. That may explain why you're seeing these events so frequently.
I recommend an experiment. Start by deleting the node from Orion. Then add it back as a WMI manage node and don't select anything to monitor under list resources. Don't assign any application monitors either. How many events per-minute are you seeing in your security log? There will still probably be a few, but very infrequent.
Begin monitoring one thing at a time (CPU/Memory first, then volumes, etc) monitoring the security event log as you go.
Excellent suggestion! And here are the results. Security event log before adding to SAM:
After adding node to WMI polling, but no resources
selected:
What am I missing?
So at the moment, with only the node added, i.e.no resources or apps monitored, the security event log will log an event (User:svcSAMPollMon) every 4-6 minutes with 5-6 entries in the log:
How can this logging be adjusted?
By "Adjusted" what do you mean exactly? These audit events are generated by the operating system. The only way I'm aware of to prevent these entries from occurring are to either switch to SNMP from WMI polling, or disable logging of successful logins.
