If the source computer is generating a large volume of forwarded events (for example, Security events from a Domain Controller), then we recommend event rendering be disabled on the event collector. The task of pre-rendering an event on the source computer can be CPU intensive for a large number of events.
- On the event collector, open a command prompt.
wecutil ss <subscriptionname> /cf:events
ContentFormat is changed from RenderedText to Events, which reduces Source Computer CPU overhead and event size.
To view event subscriptions, use the WECUTIL command utility with the gs option. Type:
wecutil gs <subscriptionname>