The Safed agent keeps track of the events it receives from the Eventlog by keeping the LastEventID in registry. At start time the agent tries to retrieve all events from Windows Eventlog since starting from the LastEventID. When the amount of events since LastEventID is too large or the LastEventID has been removed from the EventLog, the Safed Agent may hang and apparently do nothing.
The new Safed version (1.10.1) introduces an important bugfix that avoids the agent to hung. This has been accomplished by modifying the agent’s behavior at start time. The LastEventID ist still taken into account at start time, but it can’t be older than the maximum cache days defined in the agent configuration.
Hence, to maximize performance when using Safed for realtime event monitoring it is advised to set the cache, expressed in days as Number of Cache files under Network Configuration to 0.
This way the agent won’t try to retrieve old events on start.
On the other hand, if Safed is used to collect data for auditing purposes, we advise to keep the above value higher, in order for the agent to try to retrieve all events received by the Eventlog during the agent’s downtime.
Please keep in mind that because of the EventLog design, Safed may slow down anyways if the amount of events it has to receive/recover upon start is too large. We recommend to keep the agent monitored by NetEye itself and to add a restart policy on the service, in order to avoid these situations.
Please find the new version under Downloads