2 Replies Latest reply on Sep 8, 2015 1:39 AM by acommons

    WMI Pull Times


      So we have a small field office with a file/print server set to poll/pull logs via WMI every 10 minutes.  We are starting to get reports of the pipe getting saturated, that match up exactly with these pull times.  One of the suggestions made was to only pull the logs for that server once a day/off hours. And I have many questions and concerns. Any other thoughts/comments/concerns would be greatly appreciated.



      1. Loss or real time view and correlation.

      2. Log size and trying to move it all at once.



      1. Is it possible to even setup a specific pull time? I know you can set the interval to 1 Day.

      2. If needed could you force a pull at any time manually?

        • 1. Re: WMI Pull Times

          There are two things you could do:

          1) scheduling

          2) Throttling


          Scheduling is done at the receiver. You can define a daily data pull. So for example, you could schedule the pull between 6:00 PM and 7:00 AM

          The advantage of course would be that the pull would be off hours, so employee's work would not be affected.


          The disadvantage would be that this would affect aggregation, potentially affect the ESM (pulling events in the past)


          Go to device properties

          Click on Events, Flows and Logs

          See checkbox "Define daily data pull time range"



          Throttling is the other option. (Outbound traffic Control)

          This would throttle the throughputo on all NIC's on specifed IP ranges or device to a certain bandwidth. This would allow the network to continue to function under low bandwith conditions


          The disadvantage is potential dala loss, or loss orf communication to the device if throttle is set too low.



          • 2. Re: WMI Pull Times

            We have to deal with this quite a lot. What we have done so far is (1) increase polling rate so that the amount of information pulled each time is reduced. This evens out the load on the link a bit, more smaller spikes. (2) Use QoS policies to limit the maximum link utilisation. (3) Reduce volume by adjusting the audit settings on the systems in question. Not great and event storms can still make a mess of the link but works most of the time.