i'm having problems working with the event viewer console in windows.
windows version is Windows Server 2019.
the purpose of this server is providing windows event logs gathering from the information system. the logs are filtered then parsed to a SIEM.
As a consequence this server has to deal with bigger logs file than you would usually find on a classic windows install.
the log file size limit had to be increased on multiple logfiles. the limit on each log file is around 25GB
a standard size limit would be around 20MB.
this is necessary for maintenance purpose. if we have to shut the connection between the SIEM and the windows event collector. as an example the WEC would act as a buffer while the siem is rebooting or if we have a downtime of multiple minutes.
Now the problem is : When we open the event viewer console on the server. the program is trying to load some stuff in RAM. but loading is taking a long time due to the size of the logfiles. and ultimately the server reach 100% Ram and is not working properly at this point.
the event viewer won't open properly due to the size of the log files
what can i do to be able to use the event viewer console normally ?
can i tweak the event viewer console so it won't try to load too much stuff when i launch it ? (in some settings or registry ?) cause at the end of day i'm not here to see logs. i just want to manage the subscriptions. we could reduce the size of the logfiles but we would like to avoid that.
All i want to do right now is configuring the subscription
"But, you could do it in the CLI !"
yes some stuff can be managed throught
wecutil in powershell and i would aswell want to use it. In fact for some settings i am already using it.
But if i want to manage source initiated subcription computers. which involve selecting computer AD groups. looks like i can't do it with CLI. (if you have a method, i want to hear it !)
Hope somebody can help :)
i ended being able to use
wecutil to apply the changes i wanted to do to subscriptions.
i wanted to apply the change at the allowed source computers level.
i needed to change from a built-in computer AD group to a computer security group of my own creation.
to do so i needed to recover the SID of the group with this command :
Get-WMIObject win32_group -filter "name='computergroup'"|select Name,sid
then i edited the subscription with that piece of information.
wecutil ss subname /adc:"[SDDL string + SID]"
Again i'm fine with the event viewer being broken on a WEC server as long as i can do anything with