Hello
High CPU utilization after enabling Event Log Forwarding can occur due to several reasons:
Number of Connections: The memory usage of the Windows Event Collector service depends on the number of connections that are received by the client. The number of connections depends on the frequency of the connections, the number of subscriptions, the number of clients, and the operating system of the clients.
Event Latency: As soon as events are generated on the client, the Event Forwarding mechanism takes some time to forward them to the collector. This delay may be caused by the subscription configuration, such as the DeliveryMaxLatency parameter, the performance of the collector, the forwarder, or the network.
System Requirements: If you deploy EventLog Forwarding in a large environment (for example, you deploy 40,000 to 100,000 source computers), it is recommended that you deploy more than one collector that has 2,000 to not more than 4,000 clients per collector.
Here are some suggestions to fix this situation:
Update Your System: There are important scalability fixes that have been rolled out to Windows Server 2016, Windows Server 2019 in the February 25, 2020 cumulative updates.
Switch Fetch Method: Switch the event log monitor fetch method from WMI to RPC on the remaining monitors. CPU loads should fall back to normal levels.
Create a Trace: Create an ETL trace when the problem is happening. For example, run wpr.exe -start GeneralProfile leave it for 20-30 seconds when you have the problem and then run wpr.exe -stop C:gp.etl. Once you have the ETL file, get Windows Performance Analyzer from the Store and load the trace file.
Remember that each situation is unique and these solutions might not apply directly to your case. It’s always a good idea to backup your system and data before making any changes.