A:
If you use Windows event forwarding and collection, you might run into processing problems when many events are forwarded from a large set of event
source computers on a regular basis. For example, you can encounter this problem when you configure event collection and forwarding for all security
events that are generated on all domain controllers (DCs) in your Active Directory (AD) forest. You can limit the event collection and forwarding
processing impact with two configuration tweaks: turning off the pre-rendering of events on event source computers and setting the maximum number of
events that can be sent from an event source computer per second.
The task of pre-rendering events on the event source computer can be very processor-intensive when dealing with a large number of events. You can turn
off pre-rendering on the level of each individual subscription defined on a collector machine. To turn off pre-rendering, type the following Windows
Event Collector Utility (wecutil.exe) command on the event collector machine:
wecutil ss <name_of_subscription> /cf:events
The /cf: switch in the command changes the ContentFormat from "renderedtext" to "events" for the subscription named <name_of_subscription>. To
view all subscriptions defined on an event collector, you can use
wecutil es
To control the maximum number of events that are sent per second to the event collector by the source computers, you can use the following Group Policy
Object (GPO) setting: Computer Configuration/Administrative Templates/Windows Components/Event Forwarding/ForwardResourceUsage. This setting can be
applied only to Windows Vista and later computers and affects all subscriptions that are linked to the forwarder on the event source computer.