Q: How can I optimize Windows event forwarding to limit the processing and communication strain that it puts on the Windows source computers and event collector machines (aka event collectors)?
A: There are several ways to optimize Windows event forwarding. You can turn off the pre-rendering of events on the source computers, control the number of events sent from the source computers, fine-tune the TCP/IP connection idle time, and change the event batch size.
Turn off the pre-rendering of events. The pre-rendering of events on the source computer can be CPU intensive if a large number of events are forwarded to the event collector. To turn off pre-rendering, open a command prompt on the event collector and enter the following Wecutil command, replacing <name of subscription> with the name of your event subscription:
wecutil ss <name of subscription> /cf:events
Control the number of events sent. To control the number of events that are sent per second from a source computer to an event collector, you can use the following Group Policy Object (GPO) setting on source computers: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Forwarding\ForwardResourceUsage. This setting applies to all subscriptions configured on a given source computer.
Fine-tune the TCP/IP connection idle time. In large environments where a large number of source computers connect to a single event collector, it's recommended that you reduce the TCP/IP idle time to improve the speed at which source computers can connect to event collectors. According to Microsoft's guidelines, you can connect around 100,000 source computers to a single event collector if you set the TCP/IP idle time to two minutes. To do this, open an elevated command prompt on the event collector and run this Net command:
net config server /autodisconnect:2
Change the event batch size. You can increase the event batch size on source computers to reduce the frequency at which these computers send their event data to event collectors. To do so, use the following Wecutil command:
wecutil ss sub_name /cf:Events /dmi:10000 /cm:custom
In this example, the batch size is set to 10,000, as specified using the /dmi parameter. The /cm parameter sets the configuration mode of the Wecutil command. To change the event batch size, the configuration mode must be set to custom.