In our environment it was important to limit the events collected because we generate millions of alerts on our huge infrastructure. The decision was taken to only collect events from the DCs (peaking at about 25/s during day), also because our retention is 2 years and the storage we would need, to store every event in our domain that long would be crazy (and past any MS SQL limit too).
Another decision to be taken was the events to collect. Even though all events are sent from the Event Forwarder (in our case the DCs) to the Event Collector (in our case a SCOM Management Point with the ACS role), they can be filtered before being put into the ACS database. There's a caveat there that I'd like to talk about today.
Read more »