Resolution
fact
Security Manager 4.20
fact
fact
Security Manager 5.x
symptom
Security Manager is causing high CPU and memory usage on my IIS servers.
symptom
Security Manager script is automatically bouncing the agent service on my IIS servers.
symptom
Security Manager is utilizing numerous resources on my IIS servers.
symptom
cause
This can be due to a large amount of old logs files that are contained in the log directories.
fix
note
WARNING: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ Technical Support cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Make sure that you backup your Registry prior to making any changes.
Security Manager 4.20
fact
Security Manager 4.50
fact
Security Manager 5.x
symptom
Security Manager is causing high CPU and memory usage on my IIS servers.
symptom
Security Manager script is automatically bouncing the agent service on my IIS servers.
symptom
Security Manager is utilizing numerous resources on my IIS servers.
symptom
The value xxx exceeded the threshold for private bytes. A large value for private bytes can be an indicator of memory leakage in the service. The service will be stopped and restarted to avoid depletion of system resources.
cause
This can be due to a large amount of old logs files that are contained in the log directories.
fix
NOTE: There are two steps required to keep Security Manager from processing old IIS logs:
- Starting with Security Manager 4.2, the provider can ignore files older than a certain number of days. This is controlled via a registry setting in the following key:
- pre SM 5.1 - HKLM\SOFTWARE\Mission Critical Software\OnePoint\Configurations\<Config Group Name>\Operations\Agent\Event Providers\Application Log\{GUID}
- SM 5.1 and higher - HKLM\SOFTWARE\NetIQ\Security Manager\Configurations\<Config Group Name>\Operations\Agent\Event Providers\Application Log\{GUID}
Under the GUID key that has a Description value of Internet Information Server web server log there will be another value called OldLogsIgnoreDays. The default value for this key is 0 meaning to process all logs. To limit the logs processed to those up to a certain age, enter a numerical value corresponding to the age of the logs to be processed. For example, to process only the logs created in the last five days, enter a numerical value of
- Important - Now, archive the IIS event logs that are older than the OldLogsIgnoreDays setting to another server. These files are typically located under \WINDOWS\system32\LogFiles\W3SVC1 (for the default website). This way Security Manager will not need to check each file to determine if it's old or not. This will need to be done on a regular basis.
note
WARNING: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ Technical Support cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Make sure that you backup your Registry prior to making any changes.
Additional Information
Formerly known as NETIQKB24331