Recently we installed the WECS service in a customers environment to
collect the Windows events in Sentinel.

When the WECS service starts, the collector starts receiving the events
at normal rate. In less than an hour though, the WECS log shows that the
Agent is backlogged and sending of events is suspended. After that
itll take a considerable time (sometimes hours) before sending of
events is resumed. After that the agent is quickly backlogged again. The
result is that the EPS slows down to a trickle. Sometimes to 7 EPS in a

When checking the server0.0.log on the sentinel system, it reports on
the Active Directory and Windows Collector :
99% (14.52 min) Raw Data Waiting to be Parsed

The Sentinel servers resources and the WECS servers resources dont
appear the be the bottleneck. Neither is reaching its maximum capacity
when this occurs. The Sentinel server itself has 8 2,4Ghz CPUs and 16G
and uses half of that when encountering this problem.

The Collector has one WMI Connector attached to it, listening on the
(default) port 1024 and 7 (rather active) Active Directories running.

Does any one have an idea how to troubleshoot and/or solve this
performance problem? Especially the part where raw data cannot be parsed
while the server resources are still plentiful.

Any help would be much appreciated.

Kind Regards,


turgon2007's Profile: https://forums.netiq.com/member.php?userid=9632
View this thread: https://forums.netiq.com/showthread.php?t=53759