This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Troubleshooting slow console

FormerMember
FormerMember

I have setup about 15 devices to log to the LEM and the console access is now very slow. Editing tools and agents is now very painful due to the click and wait till the console responds. I follwed a guide on the knowledgebase, KB1599 Disabling the Windows Noise Alerts and KB 1676 Disabling Windows Filtering Platform Auditing. Where do I start to try to troubleshoot the slow console?

  • FormerMember
    0 FormerMember

    There are usually a few things that contribute to Console performance:

    • The volume of data coming through the system
    • The # and type of filters in Monitor
    • The # and refresh rate of widgets in Monitor and Ops Center
    • The resources available to the workstation

    Regarding volume, you started in the right place - tuning out some of the most common noise that's not generally useful in real-time for monitoring/alerting. There's only so much you can do here.

    Regarding filters, some things to look out for:

    • Multiple filters that look for high volume alert sources - like "All Alerts", "Network Alerts", "Firewalls", etc. It usually takes a large # of these types of filters before it's an issue, but it's something to look out for.
    • Filters that compare against large user-defined groups (we're talking thousands of items), like the "Spyware Sites" list.
    • Filters with extensive complex criteria, though this is lower impact than filters with high volume.

    You can try turning off temporarily certain filters to see how they impact usability. (Select filter, select the gear on the top left, select Turn Off - it won't delete the filter, it just inactivates it).

    Regarding widgets, some things to look out for:

    • The combination of a low refresh rate, high number of "split by" values, long scope, and low intervals means drawing more dots more often, which will use more CPU.
    • In Monitor, only one widget per filter can be selected. You can select to have no widget selected by default (which means it won't draw) and then click on it when needed, if it's a high-volume/refresh widget.
    • On Ops Center, the number of widgets, plus the number of widgets that draw a high volume of times/elements, can create complexity. 

    You can remove widgets from Ops Center without removing them entirely - if you delete them from Ops Center, they still remain in the Widget Manager. If you delete them from Monitor, though, they are deleted entirely - better to select "None" if you don't want a widget to appear in the filter.

    Lastly, the most obvious is resources available to the workstation - the more volume at a higher rate, the more CPU. The more filters AND volume, the more RAM.

    If you get stuck or want someone to look at your specific situation that you don't want to post to Thwack, our support team can help.

  • FormerMember
    0 FormerMember in reply to FormerMember

    Thanks for your help. The problem seems to have been the web traffic-spyware category.