How do the Windows Edge Nodes extract Windows Event logs and forward them to Cribl?

Yes, it does. We leverage native PowerShell utilities to export the Windows logs.

My understanding is that Edge collects the logs in batches using the `Get-WinEvent` powershell command

ooh, I see Brendan answered already!

Got it. How frequent is the batching process?

Uh, I believe in order to reduce some overhead, we queue up all commands (for a particular collection) at once to prevent us overloading powershell processes. Not sure of the exact frequency though

I see there's a polling interval that can be modified. That would change how frequent the batching happens, right?

Oh duh, yeah probably. I think the polling period is when the all the powershell commands are executed. I just reviewed some internal architectural docs on Windows Event collection with Edge and the doc seems to indicate the polling interval is when the batching happens

Yes, you can customize the polling interval. Just note that if you poll too frequently, you could be duplicating events because the previous one could still be running.

Is 10 seconds too frequent? That is the default

Shouldn't be

Depends on the batch size and how many logs are in there that it's trying to catch up on. And there's not much directly useful logging to be able to see what's really going on. Best I can offer is test and see but know that we are actively working to get more observability data about ourself to support tuning.