It would be nice to have a consistent default for ignore_older for integrations that use the winlog input type. In the System integration ignore_older: 72h is hard-coded into the config, and none of the other readers use the options. This creates an inconsistency. And because it's not configurable users cannot fix the situation.
So I propose that we make ignore_older configurable and use the same default value in all integrations that use the winlog input.
Users have reported high CPU usage when they first enable some of these integrations. I suspect it's due to the fact that it always processes events from the beginning of time for Security/System. So putting some limits in by default and making it configurable would be helpful.
It would be nice to have a consistent default for
ignore_olderfor integrations that use thewinloginput type. In the System integrationignore_older: 72his hard-coded into the config, and none of the other readers use the options. This creates an inconsistency. And because it's not configurable users cannot fix the situation.So I propose that we make
ignore_olderconfigurable and use the same default value in all integrations that use thewinloginput.Users have reported high CPU usage when they first enable some of these integrations. I suspect it's due to the fact that it always processes events from the beginning of time for Security/System. So putting some limits in by default and making it configurable would be helpful.