Domain Controller CPU Spike - Due to system logs


  • Hi all,

    Wondering if anybody out there is having the same issue as me, and if they have found a solution to it.

    A number of our Domain Controllers 2008 forest on physical and virtual 2008r2 servers with full patches were having a heart rhythm spike in the CPU. Depending on the number of CPU available to the DC would depend on the percentage CPU spike.

    We have found the reason for the spike and it is due to a capping in place within the system logs. When the logs hit the cap and a new log goes to write it first has to remove an old log from the system and thus sends the cpu sky high.

    Does anyone know why this is only happening now as the capping has been in place for a number of years now with no issues present until recently.

    Is there a perminant fix that I can put in place, instead of saving off the logs and then deleting as part of monthly maintenance before they fill up to the max and cause the spiking to happen again. 

    has anyone setup the system logs to fill on the separate drive/partition and scripted a save copy and delete every 90 days for example.  

    Maybe someone has seen this and come up with a smarter way of dealing with it, id love to hear from you.



    Thursday, April 03, 2014 9:56 PM

All replies

  • Hi,

    Thanks for your posting.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support. 

    Best Regards,


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Tuesday, April 08, 2014 2:14 AM
  • To remove the system event log, please refer to the article below:

    We can also overwrite older events  or  clear a log of its contents when it reaches the initial maximum of size of a log.


    To specify log size and overwrite options, follow these steps:
    1. Click Start, and then click Control Panel.  Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management.  Or, open the MMC containing the Event Viewer snap-in.
    2. In the console tree, expand Event Viewer, and then right-click the log in which you want to set size and overwrite options.
    3. Under Log size, type the size that you want in the Maximum log size box.
    4. Under When maximum log size is reached, click the overwrite option that you want.
    5. If you want to clear the log contents, click Clear Log.
    6. Click OK.

    Hope it's helpful.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, April 08, 2014 10:02 AM
  • Hi Mandy/ Anna

    Thanks for taking the time to reply to my query.

    What you have stated above Anna is currently in place all our logs are capped with a max log size and all new logs overwrite the old ones.

    That is the problem we are having during this overwrite period once the max log size is reached the CPU is spiking up to 100% on these 2008r2 domain controllers servers.

    Tuesday, April 08, 2014 5:29 PM
  • How long did the high CPU persist? One minute or a long time? If the cpu can return normal in a very short time, we can ignore this, since when the max log size reached, this is expected behavior due to the large size.

    Besides, how about changing the max size to a smaller value?

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, April 09, 2014 6:48 AM
  • The CPU spikes to 100% every 10 seconds continually returning to normal within a 2 second period.

    We have tired both extending the log size and reducing this, but this has not solved our issue either way.

    We have also looked at what we are logging and it seems on par with all the recommended settings via Microsoft. It seems the biggest and fastest filling log is the security log.

    We have now increased the cpu to 2 to reduce the load against the server, this has reduced the spiking to 50% but the rhythm continues to spike to 100% every 10 seconds, and upon clearing the logs the spiking disappears. 

    Our new avenue is to look at creating a separate drive of XX gb's within the VM and pointing all logs in there, creating a backup copy of these once a month to another area and wiping these off the server, thus not reaching the cap and thus not spiking the cpu.

    This cannot be the best fix but until an alternative stable solution is found i think we dont have a choice.  

    • Proposed as answer by Pankaj Madaan Thursday, October 15, 2015 9:06 PM
    • Unproposed as answer by Pankaj Madaan Thursday, October 15, 2015 9:06 PM
    Wednesday, April 09, 2014 1:56 PM
  • Hi, I had the same issue and couldn't find any resolution.. in my case security logs were causing the trouble.

    After spending so much time on perfmon and other performance tools, I cleared the events for once and let them filled with new one, then exported them to a csv file and checked those events. I found that the majority of events were logged by a device on the network and after checking from the security team, I found that they deployed a new security device on the network that was logging the security events on all the DCs in the environment. Once the removed a single DC from the security device logging, it started behaving normal and I didn't see the spike on that DC.

    Hope that will help you.

    Thursday, October 15, 2015 9:13 PM