Shulou(Shulou.com)06/03 Report--

Background:

It has long been found that the CPU of domain control is between 60-80% for a long time. Log service takes up a large amount of CPU, and it is useless to reduce the maximum size of logs. Domain control uses the single sign-on feature of paloalto and SXF, so I am sure it is one of the two, but there is no real hammer.

With Stack Trace, I can only confirm that it is caused by a log query.

Since the log is queried through WMI, after finding some information related to WMI TRACE, I grabbed WMI TRACE as an ETL file for a short period of time, then used windows message analyzer to extract the required fields, generated a CSV, and then looked at it in EXCEL.

White background query 1, does not seem to be too regular, the minimum query interval seems to be 1s, but the large interval is also 5s, mostly about 2s. Select _ _ RELPATH, InsertionStrings from Win32_NTLogEvent where ((Logfile = "security" AND (EventCode = 672 OR EventCode = 4624) OR EventCode = 540) OR EventCode = 4768) AND RecordNumber > 939574642) (Yellow) Color background query 2 (alas, the keyword of this blog is too excellent (cu) fang) The query interval is about 14-15s.select _ RELPATH, EventIdentifier, InsertionStrings, TimeGenerated from Win32_NTLogEvent where (EventIdentifier = 4624 OR EventIdentifier = 4768) OR EventIdentifier = 4769) OR EventIdentifier = 4770) OR EventIdentifier = 672) OR EventIdentifier = 673) OR EventIdentifier = 674) AND LogFile = "Security") AND TimeGenerated > = "20190906013740.75100000000") find the real killer

Yes, query 1 above is very frequent and may be the real killer, but who sent this query? Can I follow the IP address?

Use netsh trace to grab the package, use Windows Message Analyzer for analysis, first filter the WMI, then click one of them, click the front plus sign, follow to the ip module, and then display the SourceAddress as a column and the strquery as a separate column, roughly like the following figure. Find the real killer.

Postscript

I think that if you disable the following settings on the web page and delete the configured domain control list, you can disable log querying. As a result, this is not the case after grabbing the package. Whether SXF insists on working and AD log query continues all the time. It is estimated that the only way to get to the bottom of the problem is to change the password or disable the account used by SXF.

I verified my idea and found that it really works. I just want to say that you really have to be reserved.

After disabling the AD account for SXF, and then enabling it, the CPU image of DC is shown below:

Add the query configuration of Palo Alto (changeable)

After the second week, I got the patch file. According to the original proposal, I changed the frequency to 25s, but it was written in the program, and the response was Tou (Lan). Can I make a configuration file and modify the frequency? Compared with palo, it can only be hehe.

Although there are many sighs, I should be glad that the problem has been solved for more than a year.

Reference link

Network tracing using ETW

WMI Tracing

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.