5. Load Balancing Many Forwarders Across Multiple Collectors

What if you have tens of thousands of workstations or hundreds of servers that simply produce more events than one Collector can keep up with?  Supercharger’s Enterprise functionality can automatically distribute and balance this load across multiple controllers with a feature called Load Balanced Subscriptions.

A Load Balanced Subscription is like a normal Subscription in WEC but you create it in Supercharger at the domain level and then Supercharger creates actual WEC subscriptions on collector as necessary with an equal portion of computers to each collector.

Load Balancer 

Inside a given domain, you first create an object called a Supercharger object called a Load Balancer which is made up of 2 lists

  1. The Collectors among which Supercharger should distribute the load of forwarders
  2. The Cohort of Forwarders that should be evenly distributed among the Collectors. This set of computer accounts from AD is called the Cohort. You can define using either an AD group or with and LDAP query. Supercharger will find all the computers in that group or LDAP query and they become the Cohort. Supercharger takes into account each computer's status in AD (is it enabled?  is it dormant?) and assigns an even number to each collector. As the word implies, the cohort should be a fairly homogeneous set of similar computers that would be expected on average to produce a like number of events.

Load Balanced Subscriptions 

But wait, all we've defined is a set of Collectors and a cohort of Forwarders. What about specifying which Event Logs and which events in those logs you need to collect?  That's where the next object type, Load Balanced Subscriptions, come in. Load Balanced Subscriptions are child objects of a Load Balancer.

For a given Load Balancer you can create one or more Load Balanced Subscriptions which comprise

  • Managed Filter - a Supercharger object that specifies which event logs and events to collect. More info 
  • Subscription Policy - a Supercharger object that specifies all the WEC settings for a subscription. For Load Balanced Subscriptions, Supercharger only displays Deterministic policies. More info
  • Destination Log Name - this log must be present on each collector in the Load Balancer but Supercharger helps you manage this​


Here is an overall diagram showing the relationship of Load Balancers, Load Balanced Subscriptions and the actual Collectors and Subscriptions in Windows.​


