Syslog ng WEC Maximum Clients per Collector (4376190)

Discussions around sizing would be best handled via discussion with Professional Services.

There is detail included in the WEC Administration Guide.

https://support.oneidentity.com/technical-documents/syslog-ng-premium-edition/7.0.32/windows-event-collector-administration-guide/4#TOPIC-1925963

Performance
Performance is dependent on the number of event log messages that the Windows hosts send to Windows Event Collector (WEC) and the capabilities of the XML parser.

Our performance measurements indicate that syslog-ng Premium Edition (syslog-ng PE)'s XML parser is capable of parsing 15,000-20,000 events/second. The exact capacity of the XML parser depends on the complexity of the Windows log messages, as well as the performance of the hardware that syslog-ng PE and WEC are running on. When the limit of 15,000-20,000 events/seconds is reached, a workaround is recommended.

As the value set in the batchsizelimit parameter is treated only as a recommendation by the Windows hosts, there is no direct way to control the amount of messages arriving from the event source computers. For more information, see batchsizelimit in the subscriptions option in Configuring Windows Event Collector.

A possible workaround is to launch multiple WEC servers and create multiple windowsevent() sources in syslog-ng PE. That way, you can distribute your Windows hosts across multiple WEC and syslog-ng PE servers, decreasing the load on individual servers.

To run multiple WEC services per syslog-ng PE service, you need to create your own init script. This is because the init script that comes with WEC enables you to run only a single WEC service per syslog-ng PE service.