We are looking to limit event collection when ESM receivers retrieve events from Windows machines over slow links. We would like to set the receiver to only retrieve 100 messages, or 100KB in a single poll, and only do one pull per minute, as an example.
Any thoughts would be appreciated.
That is not possible in the SIEM at this time. You can limit the ESM to receiver communication to certain time frames, but nothing to limit the receiver to WMI devices, you can only specify the rate at which it will poll the WMI device for new logs.