Hi Team, quick question. How do the Windows Edge Nodes extract Windows Event logs and forward them to Cribl? Does it spin a powrshell process and send logs up in batches?
Question
How do the Windows Edge Nodes extract Windows Event logs and forward them to Cribl?
My understanding is that Edge collects the logs in batches using the `Get-WinEvent` powershell command
ooh, I see Brendan answered already!
Uh, I believe in order to reduce some overhead, we queue up all commands (for a particular collection) at once to prevent us overloading powershell processes. Not sure of the exact frequency though
I see there's a polling interval that can be modified. That would change how frequent the batching happens, right?
Oh duh, yeah probably. I think the polling period is when the all the powershell commands are executed. I just reviewed some internal architectural docs on Windows Event collection with Edge and the doc seems to indicate the polling interval is when the batching happens
Yes, you can customize the polling interval. Just note that if you poll too frequently, you could be duplicating events because the previous one could still be running.
Depends on the batch size and how many logs are in there that it's trying to catch up on. And there's not much directly useful logging to be able to see what's really going on. Best I can offer is test and see but know that we are actively working to get more observability data about ourself to support tuning.
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.