Q: With Windows event forwarding and collection, how can we limit the processing impact on source and collector computers?

A:If you use Windows event forwarding and collection, you might run into processing problems when many events are forwarded from a large set of eventsource computers on a regular basis. For example, you can encounter this problem when you configure event collection and forwarding for all securityevents that are generated on all domain controllers (DCs) in your Active Directory (AD) forest. You can limit the event collection and forwardingprocessing impact with two configuration tweaks: turning off the pre-rendering of events on event source computers and setting the maximum number ofevents that can be sent from an event source computer per second.

The task of pre-rendering events on the event source computer can be very processor-intensive when dealing with a large number of events. You can turnoff pre-rendering on the level of each individual subscription defined on a collector machine. To turn off pre-rendering, type the following WindowsEvent Collector Utility (wecutil.exe) command on the event collector machine:

wecutil ss  /cf:events

The /cf: switch in the command changes the ContentFormat from "renderedtext" to "events" for the subscription named . Toview all subscriptions defined on an event collector, you can use

wecutil es

To control the maximum number of events that are sent per second to the event collector by the source computers, you can use the following Group PolicyObject (GPO) setting: Computer Configuration/Administrative Templates/Windows Components/Event Forwarding/ForwardResourceUsage. This setting can beapplied only to Windows Vista and later computers and affects all subscriptions that are linked to the forwarder on the event source computer.