There are several problems with vmware eventlog retrieval logic:
- Eventlogs are always downloaded in batches of 10, even if there are thousands of old records (0.5sp).
- If poller did not check collected event logs between collector data refreshes (so it did not set service.eventlog_last_key to the lastlogsize value), the cached events will be discarded and collector will redownload them (1-2sp).
The first can be solved by dynamically increasing the batch size with each next request. Start with 10 and multiply by 2 (until batch size reaches 1000) if ReadPreviousEvents returned valid events.
The second must be investigated more carefully - it seems to be the case, but needs to be tested.
|