I have a WMI sensor configured to log Security Audit Failures. From time to time it appears to report literally billions of new records (volume) but the actual event log on the windows server this sensor is monitoring has no login failure events.

Is there a bug in this sensor or could it be misconfigured? I'm unsure how to upload screenshots here so apologies for the lack of images.

Article Comments

Here are some screenshots of the sensor configuration and the data being

Basic Sensor Settings

Filter Event Log Entries

Raw data

Event Viewer showing no such events in the log at the time of the PRTG logging hundreds of millions of new events.

Event Viewer


Jun, 2018 - Permalink

The easiest way would probably be to enable the spike filter for all channels of the sensor. This usually happens when PRTG receives a messed up (i.e. too large, negative, invalid) value and trips the internal calculations, resulting in values that large.

Kind regards,
Stephan Linke, Tech Support Team


Jun, 2018 - Permalink