KBI 311459 AWS Why Windows Event Log Monitoring Is So Much Faster On AWS EC2
Version
Argent Advanced Technology – All versions
Date
Tuesday, 20 September 2016
Summary
The traditional way to monitor Windows Event Logs is to use the classic Windows Event Log API
The central Argent Engine reads Event log file on the remote machine across the network, loads the message DLLs, and composes the Event details on the central Argent Engine, then run the monitoring logic on the central Argent Engine
It is obviously expensive to read huge files over the network
In contrast, AWS EC2 Windows instance can be monitored through PowerShell Remoting
The actual Event log reading and filtering happens at EC2 instance instead of the central Argent Engine machine
For example, supposedly there are 10 Events with id ‘4625’ out of total 100,000 Event records
When PowerShell Remoting is used to monitor such Events, only 10 records — not 100,000 records — will be read over network
The improvement is clear
The other benefit of using PowerShell Remoting is avoiding overloading central Argent Engine machine
Obviously the CPU cycles need come from somewhere and in the EC2 case it is the target machine’s CPU cycles that are for the monitoring purpose
Technical Background
N/A
Resolution
N/A