IBM QRadar

Hi, everybody.

I've got WinCollect 7.3.1.22 managed install on VDI machine pool.

Our IT team give me a performance report with high CPU consumption

2-core CPU Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz
7Gb RAM

How can I optimize resource consumption?

------------------------------
Bohdan Khobta
------------------------------

Hello Bohdan,

please do not use Wincollect if your company size is mid-big since the Wincollect agent not stable needs further improvement  by IBM to have minimum performance impact on windows OS.

------------------------------
Donald Lavag
------------------------------

Original Message:
Sent: Tue November 15, 2022 05:19 AM
From: Bohdan
Subject: Qradar 7.5.0 Wincollect 7 managed high CPU consumption

Hi, everybody.

I've got WinCollect 7.3.1.22 managed install on VDI machine pool.

Our IT team give me a performance report with high CPU consumption

2-core CPU Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz
7Gb RAM

How can I optimize resource consumption?

------------------------------
Bohdan Khobta
------------------------------

Hi Bohdan,
Can you provide some insight in to what the WinCollect agent is collecting?  For example:
- How many sources is this agent collecting. Are they remote or local.
- What kind of sources are they?  Windows events, File based, etc?
- What is the polling interval for these sources

In response to Donald Lavag's comment on not to use WinCollect.  That is a useless comment.  WinCollect is stable and most likely this situation your are facing just requires some tweaking to the settings to optimize performance.

------------------------------
JAY SARTORIS
------------------------------

Original Message:
Sent: Tue November 15, 2022 05:19 AM
From: Bohdan
Subject: Qradar 7.5.0 Wincollect 7 managed high CPU consumption

Hi, everybody.

I've got WinCollect 7.3.1.22 managed install on VDI machine pool.

Our IT team give me a performance report with high CPU consumption

2-core CPU Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz
7Gb RAM

How can I optimize resource consumption?

------------------------------
Bohdan Khobta
------------------------------

Hi, Jay.

I tried several configs
The last one was trully minimalistic.
I choose only one local sysmon logsource using next XPATH

<QueryList>
<Query Id="0" Path="Microsoft-Windows-Sysmon/Operational">
<Select Path="Microsoft-Windows-Sysmon/Operational">*</Select>
</Query>
</QueryList>

Sysmon configured by official Jose Bravo guide 

Polling interval is 3000 ms


------------------------------
Bohdan
------------------------------

Original Message:
Sent: Wed November 16, 2022 09:39 AM
From: JAY SARTORIS
Subject: Qradar 7.5.0 Wincollect 7 managed high CPU consumption

Hi Bohdan,
Can you provide some insight in to what the WinCollect agent is collecting?  For example:
- How many sources is this agent collecting. Are they remote or local.
- What kind of sources are they?  Windows events, File based, etc?
- What is the polling interval for these sources

In response to Donald Lavag's comment on not to use WinCollect.  That is a useless comment.  WinCollect is stable and most likely this situation your are facing just requires some tweaking to the settings to optimize performance.

------------------------------
JAY SARTORIS

Original Message:
Sent: Tue November 15, 2022 05:19 AM
From: Bohdan
Subject: Qradar 7.5.0 Wincollect 7 managed high CPU consumption

Hi, everybody.

I've got WinCollect 7.3.1.22 managed install on VDI machine pool.

Our IT team give me a performance report with high CPU consumption

2-core CPU Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz
7Gb RAM

How can I optimize resource consumption?

------------------------------
Bohdan Khobta
------------------------------