1

Anyone else often having a need to correlate multiple log sources such as event log or various log files with performance counters when troubleshooting Windows machines?

For example, we had a case of memory and CPU performance peaking periodically, only to realize it was because of one indexing service was accessing data remotely on server. The way we figure that one is by looking into Security event log and see many login events from that indexing service's account during performance peaking periods.

It took us a while to get to this so I am wondering is there a tool that auto-correlates performance counter deviation with logs appearing during that time? I know there are many log analyzers out there, but they mostly seem to be SIEM oriented and none has performance counter correlation feature.

njadric
  • 11
  • 2

1 Answers1

0

EventSentry is a SIEM that also includes performance monitoring capabilities natively (any Windows performance counter), however it does not automatically correlate performance events with automatically to suggest a root cause. You can set that up manually (correlate security with performance events) - but not automatically.

There may be other solutions out there that do this, but I'm not aware of any. You may need a combination of tools to accomplish this without manual setup.

Having said that, even tools that automatically correlate will require significant efforts for setup & training, without guarantee that they will be able to determine the cause correctly.

Since this is probably not a common occurrence, I would just setup performance monitoring and utilize the SIEM to manually determine the cause and setup alerts for the future (or fix the problem).

Lucky Luke
  • 1,555
  • 1
  • 9
  • 12