Excessive traffic

Email It to Me Print this Page
Symptoms

NetWrix Account Lockout Examiner generates excessive traffic in our network

Cause NetWrix Account Lockout Examiner gets information from Windows security logs. The product connects to domain controllers (DCs) to find lockout events. Then it connects to workstations to find detailed information about the invalid logon attempts, which caused the lockouts. When the product is configured to monitor all DCs in your domain, it establishes connections with all DCs as well as their subject workstations.
Resolution

To reduce the bandwidth usage, do the following: 

  1. Run Registry Editor: navigate to Start --> Run, type in regedit and click OK.
  2. Navigate to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS). 
  3. Set readlog to 0. 
  4. Create a new DWORD UseWatcher and set its value to 1. 
  5. Set UseWMI_Workstations to 1
  6. Restart Netwrix Account Lockout Examiner Service via the Services snap-in.

This will change method of event collection and should reduce bandwidth utilization.

There is also an option to disable examination of workstations. In this case name of the process that cause invalid logon will never be shown.. 
To disable examination of workstations, do the following: 

  1. Run Registry Editor: navigate to Start --> Run, type in regedit and click OK.
  2. Navigate to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS).
  3. Create a new DWORD PF_Enabled and set its value to 0. 
  4. Restart NetWrix Account Lockout Examiner Service via the Services snap-in.

User-added image
(*) Netwrix Auditor replaces former Change Reporter products
Was this information helpful?