This might take you < 1 minute to read.

I have just troubleshoot a domain with really slow domain controllers.
In a closer look they where not so slow. The Read the security log at 40MB/sec. How could that be?

First of all I checked what process read the event log file. “System”, not very informative, but ok. Is the process (pid 4) sending data on the network? Hmm no. Where to go next? The log itself. 460k+ entries. Quite large file. 10GB large and is rotation. Looking at it I could see that it was writing about 500 rows every second. Why write so many entries? A quick look in the policies for the computer shows that all auditing is enabled. Action: disable all that was not wanted.

Ok now it is not writing as frequent but the read speed is almost the same. Shrink the size of the log file and clear it and the issue was gone. Now I had to do this for all domain controllers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.