Banks, credit unions, insurance companies,
High memory usage even after the "readlog" registry key is set to 0
|Symptoms||Registry changes have been applied per KB1277 but the memory usage is still very high.|
|Cause||Account Lockout Examiner tracks events from the security log and then processes them to get information, such as account name, workstation name, ip address, etc.
These types of issues are related to very high activity in the environment - number of events to track is more than the Account Lockout Examiner service can handle and a queue builds up in memory.
In most cases such activity is related to having several accounts (one or two "problem" accounts) that generate too many invalid logons per second.
|Resolution||First, try to perform additional tuning of the product via the registry. On the Account Lockout Examiner host machine:
Second step is to check the product logs to find out if there are any issues in your environment
NOTE. If you have a valid support contract, feel free to contact Netwrix Technical support.
ALEService.exe Information: 0 : [TID, <timestamp>] EVENT WATCHING INFO: Logon failure event: <EventRecordID> from <servername>. NTAccount: <accountname>. Time generated: <event timestamp>This means that the service tracked an invalid logon event for the <accountname> from the security log of <servername>. The event was generated on <event timestamp> and has the record ID <EventRecordID>.
Verify that there are no accounts generating several invalid logons per second, otherwise find such accounts and check the DC security logs for details of invalid logons to determine the root cause of the excessive number of invalid logons generated by that account.
NOTE. The most common reason for this is failed domain relationships - a machine account tries to authenticate to the domain but is not able to.