Windows Event Collector (WEF) Event Viewer unresponsive

Question

We are using Windows Event Collector (WEF) to forward defined security events to a special server. After some days of using this solution, navigating to "Subscription" within the Event Viewer causes a minute long timeout for loading the data.

Answer 1

According to MS Documentation this is because of the huge amount of registry keys for every single subscription. (Every Host is a unique key for every subscription)

For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time.

When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the Subscriptions node in the left-navigation, but will function normally afterwards. At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. At >100,000 lifetime WEF sources, the registry won't be readable and the WEC server will likely have to be rebuilt.

It is possible to bypass this limitation by denying the creation of subkeys within EventSource for each subscription, so that the event viewer remains responsive even with thousands of hosts and dozens of subscriptions.

$DenySubKeyWrite = New-Object -TypeName System.Security.AccessControl.RegistryAccessRule ("Everyone", "CreateSubKey", "Deny")

Foreach ($sub in (Get-Item -Path "HKLM:\\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions\*\EventSources"))
{
     $tmpPath = $sub.Name.Replace("HKEY_LOCAL_MACHINE","HKLM:\")
     $tmpACL = Get-ACL $tmpPath
     $tmpACL.AddAccessRule($DenySubKeyWrite)
    Set-ACL -Path $tmpPath -AclObject $tmpACL
}