IBM Support

IZ26746: HIGH CPU FOR EVENT LOG PROCESSING

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The event log processing is being enabled for all the event
logs found on the system.  This is causing high CPU for event
logs that have high event traffic and no situation is started
to monitor these logs.  The agent should not enabled the event
log monitor unless a situation is started that requires the log
to be monitored.

Detailed Recreation Procedure: Start any situation that monitors
one log and then all logs will be enabled as can be seen in the
trace log.

Related Files and Output: None.

Local fix

  • 



Problem summary


    

  • Situations created to monitor the Windows event logs may cause a
high CPU condition, because the situation does not define which
Windows event log to monitor. When a situation does not define
which Windows event log to monitor, then all the Windows event
logs must be monitored for events for situation evaluation. Moni
toring of all the event logs causes a high CPU condition
because of the high number of events that must be processed for
all the events logs. Currently, two situations
NT_Invalid_Logon_Attempt and NT_Service_Error, are shipped with
the Monitoring Agent for Windows OS and are enabled at start
up. Both these situations can cause a high CPU condition because
they do not specify which Windows event log to monitor. To
correct this problem, the Windows event monitoring process is
modified to only monitor the Windows event log that is specified
in the situation. Therefore, it is recommended that any event
log situation, including the two situations shipped with the Mon
itoring Agent for Windows OS should specify which Windows event
log to monitor.

    



Problem conclusion



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ26746
    • 

  • Reported component name
    ITM AGENT WINDO
    • 

  • Reported component ID
    5724C040W
    • 

  • Reported release
    620
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2008-07-10
    • 

  • Closed date
    2008-07-24
    • 

  • Last modified date
    2010-11-04
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    ITM AGENT WINDO
    • 

  • Fixed component ID
    5724C040W
    • 



Applicable component levels


    

  • R620  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSRM2J","label":"Tivoli OMEGAMON XE for Distributed Systems"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"620","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 November 2010
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback