Version

Argent Advanced Technology – All versions

Date

Tuesday, 20 September 2016

Summary

The traditional way to monitor Windows Event Logs is to use the classic Windows Event Log API

The central Argent Engine reads Event log file on the remote machine across the network, loads the message DLLs, and composes the Event details on the central Argent Engine, then run the monitoring logic on the central Argent Engine

It is obviously expensive to read huge files over the network

In contrast, AWS EC2 Windows instance can be monitored through PowerShell Remoting

The actual Event log reading and filtering happens at EC2 instance instead of the central Argent Engine machine

For example, supposedly there are 10 Events with id ‘4625’ out of total 100,000 Event records

When PowerShell Remoting is used to monitor such Events, only 10 records — not 100,000 records — will be read over network

The improvement is clear

The other benefit of using PowerShell Remoting is avoiding overloading central Argent Engine machine

Obviously the CPU cycles need come from somewhere and in the EC2 case it is the target machine’s CPU cycles that are for the monitoring purpose

Technical Background

N/A

Resolution

N/A