Q: With Windows event forwarding and collection, how can we limit the processing impact on source and collector computers?

A: If you use Windows event forwarding and collection, you might run into processing problems when many events are forwarded from a large set of event source computers on a regular basis. For example, you can encounter this problem when you configure event collection and forwarding for all security events that are generated on all domain controllers (DCs) in your Active Directory (AD) forest. You can limit the event collection and forwarding processing impact with two configuration tweaks: turning off the pre-rendering of events on event source computers and setting the maximum number of events that can be sent from an event source computer per second.

The task of pre-rendering events on the event source computer can be very processor-intensive when dealing with a large number of events. You can turn off pre-rendering on the level of each individual subscription defined on a collector machine. To turn off pre-rendering, type the following Windows Event Collector Utility (wecutil.exe) command on the event collector machine:

wecutil ss <name_of_subscription> /cf:events

The /cf: switch in the command changes the ContentFormat from "renderedtext" to "events" for the subscription named <name_of_subscription>. To view all subscriptions defined on an event collector, you can use

wecutil es

To control the maximum number of events that are sent per second to the event collector by the source computers, you can use the following Group Policy Object (GPO) setting: Computer Configuration/Administrative Templates/Windows Components/Event Forwarding/ForwardResourceUsage. This setting can be applied only to Windows Vista and later computers and affects all subscriptions that are linked to the forwarder on the event source computer.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.