• Active Directory
  • Application
  • Desktop & Mobile
  • Help Desk
  • Network
  • Server
  • IT Security
  • MSP
  • On-Demand
 
 
Device Management, made easy
Manage control and secure your workstations, mobile
devices and tablets
 
 
Help Desk for Everyone
IT Help Desk Software and Customer Support Software
 
 
Protect Your IT. Save Your Business
Build a secure fortress with our security management solutions
 
 
MSP
Manage services faster, with multi-tenanted, ITIL-ready, and unified RMM solutions
 
 
On-Demand Solutions
IT Help Desk, Active Directory, and Operations Management from the Cloud
 

Product docs

EventLog Analyzer - Performance Tuning

EventLog Analyzer's performance depends on the machine in which it is deployed. Following are some configuration procedures that help you to tune EventLog Analyzer's performance to the maximum.

 

Java Parameters Tuning

EventLog Analyzer version 10 and above support log flow rate of 20,000 logs/second in 64 bit editions and 10,000 logs/sec in 32 bit editions.

For 64 bit
Maximum Flow Rate in Logs/Sec Memory required in MB
5000 1024m
10,000 2048m
20,000 4096m

For 32 bit

Maximum Flow Rate in Logs/Sec Memory required in MB
5000 1024m
10,000 1536m

To set to the flow rate that meets your requirement, follow the below configuration steps.

For windows service:
  1. Stop EventLog Analyzer service
  2. Open the file wrapper.conf located at \server\conf
  3. Search for wrapper.java.maxmemory
  4. The default value will be 1024, change it to match your log flow rate
  5. For example, if you're going to have a flow rate of 20,000 logs/sec, you'll have to change it to wrapper.java.maxmemory=4096
For windows terminal:
  1. Shutdown EventLog Analyzer
  2. Open the file setCommonEnv.bat located at \bin\
  3. Search for -Xmx, you'll find it in the line that begins with "set JAVA_OPTS"
  4. The default value will be -Xmx1024m, change it to match your log flow rate
  5. For example, if you're going to have a flow rate of 20,000 logs/sec, you'll have to change it to -Xmx4096m
For linux service :
  1. Stop EventLog Analyzer service
  2. Open the file wrapper.conf located at /server/conf
  3. Search for wrapper.java.maxmemory
  4. The default value will be 1024, change it to match your log flow rate

For example, if you're going to have a flow rate of 20,000 logs/sec, you'll have to change it to wrapper.java.maxmemory=4096

For linux :
  1. Shutdown EventLog Analyzer
  2. Open the file setCommonEnv.sh located at /bin/
  3. Search for -Xmx, you'll find it in the line that beg
  4. ins with "JAVA_OPTS"
  5. The default value will be -Xmx1024m, change it to match your log flow rate
  6. For example, if you're going to have a flow rate of 20,000 logs/sec, you shall change it to -Xmx4096m
 

MySQL Database Tuning

To get the optimal performance, you need to change the MySQL parameters depending on the RAM size of EventLog Analyzer server.

  1. Open startDB.bt/sh file located in the /bin directory
  2. Change the value of the MySQL parameter depending on the RAM size. Below are the values specific each RAM size.
RAM Size MySQL Parameter Changes
1 GB Default configuration as given in the startDB.bat/sh file
2 GB " --innodb_buffer_pool_size=1200M "
3 GB " --innodb_buffer_pool_size=1500M "
4 GB " --innodb_buffer_pool_size=1500M "
8 GB (64 Bit) " --innodb_buffer_pool_size=3000M "
16 GB (64 Bit) " --innodb_buffer_pool_size=3000M "
 

Disk Space Optimization

The hard disk space requirement is closely tied to the log volumes generated at your environment. For a high log record rate you need to have a greater disk space to store and process the logs. The log generation rate in turn depends on the number of log sources you add for monitoring. Below is the estimate of hard disk space requirement specific for each log volume rate. The data is computed by accounting 100 hosts with average log size of 500 bytes.

Log Records Rate or Volume
RAM Size
Hard Disk Space Requirement
Per Month to Run EventLog Analyzer
100/sec or 4 GB/day
2 GB
85 GB
 
500/sec or 20 GB/day
4 GB
400 GB
 
1000/sec or 40 GB/day
8 GB
800 GB
 

Calculating the required hard disk space for your environment

EventLog Analyzer automatically scales up to meet the growing number of log sources configured for log collection. By default, the 'Archive' and 'Indexes' folder located at the product installation path to increase in size. We recommend you to calculate the required hardware space based on the number of log sources being monitored and the average size of each log type keeping the time period as constant.

Average Log Size Details

  • Windows - 1500 bytes
  • Linux/Syslog - 400 bytes
  • AS400 - 1000 bytes

The total disk space can be given by,

Total disk space = Archive+ Indexes + 5 GB

Calculating the Archive content:

Archive = Average Log Size * Logs per sec per Host * 60 * 60 * 24 * No of Days * No of
Hosts Indexes = 1.3 * Average Log Size * Logs per sec per Host * 60 * 60 * 24 * No of Days *
No of Hosts = 1.3 * Archive

Since we are zipping the 'Archive' and 'Indexes' folders, the folder size will reduce by 90%, implying the zipping ratio as 10:1

Therefore, the total Disc space would be

( Archive + 1.3 * Archive )/10 + 4 days of archive + 7days of Index+ 5 GB)

ie., Default Archive zip interval is 4 days and index zip interval is 7 days

Storage Settings

By default, the database/indexes storage is set to'32 days' and archive log storage is set to be 'forever'. to change the database/indexes storage period, navigate to the Settings tab and click on Archive Settings.

Noise Reduction

EventLog Analyzer facilitates the filter option that will retain and prioritize only those logs in the database that is of corporate interest for a quick view. Rest of the logs are collected in the archive folder and are made available for viewing at any given point of time. Additionally, the filtering functionality also ensures the optimum use of hard disk space. Read more on Database filtering here. Sometimes, you may not want to apply to database filtering. Regardless of the log type, or severity, you may need to retain all the logs in the database as well as on the archive folder. You can do this by,

  • Editing the runSec.bat/sh file located under \bin directory
  • Add the entry filtBeforeArch 1 as below

  • Default Entry :
    bin\SysEvtCol.exe -loglevel 2 -port 513 514 %*
    Customized Entry:
    bin\SysEvtCol.exe -loglevel 2 -filtBeforeArch 1 -port 513 514 %*

General Instruction to Control the Disk Space Growth

In case of any disk space constraints, you can shift the Archive/Indexes folder to a different drive or network mapped drive. Click on Settings > Archive Settings and provide your choice of location for archiving and swapping the logs.

With this option, you can transfer the contents of the dormant archive to a tape drive or to high capacity storage for longer retention.

If the product is running in a debug mode, consult our support team to change it to default log level as soon as your requirement is resolved. Debug level will increase the 'log' folder size causing you disk space issues.

Feel free to contact support for any other technical queries.

Customer Speaks
 
"Windows Event logs and device Syslogs are a real time synopsis of what is happening on a computer or network. EventLog Analyzer is an economical, functional and easy-to-utilize tool that allows me to know what is going on in the network by pushing alerts and reports, both in real time and scheduled. It is a premium software Intrusion Detection System application."
Jim Lloyd
Information Systems Manager
First Mountain Bank
  • Info Security's 2014 Global Excellence Awards
  • Info Security‚Äôs 2013 Global Excellence Awards - Silver Winner