Windows Event Collection creates a registry key and several child values for each source computer that ever sends events to a given subscription. However, WEC never deletes these registry objects even after sources are no longer valid. This can create 2 issues:
- In environments with heavy forwarder turnover, this results in an ever-growing glut of old source records which slows down WEC and makes Event Viewer unresponsive.
- Supercharger cannot accurately determine health of subscriptions where you choose the Empirical health assessment basis. Empirical health assessment bases its expected forwarder count on the WEC sources found in the registry. If you have many outdated WEC sources, Supercharger will rate the health of the subscription lower than what it should be.
Supercharger solves this problem with the optional pruning feature which you can enable/disable in Subscription Policy objects. When you enable Prune WEC sources, you must specify how many days must elapse with no heartbeat being reported by a given WEC source before it is pruned. By default, Supercharger runs the PruneWecSourceComputersCommand at midnight, but you can run the command on demand from a collector's viewer dialog.
When a WEC source is pruned, the registry key is simply deleted. If the WEC source becomes active again in the future, WEC will automatically recreate the key.
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!