I'm sure this is a basic question, but I'm having trouble finding a straight answer to it. If you have a data source setup for WMI, and say the pull time is set for an hour. When it checks the next hour I'm assuming it knows where it left off and only pulls a delta/new logs. My question is for how long does it pull logs? If for some reason there happened to be an extreme amount of logs since the last pull, does it just pull until it reaches the end of the log file? Or is there some type of timeout where it will just then pick up where it left off the next hour?
I ask because we have a server that seems to be constantly pulling logs even though the pull time is set higher.
There is a bookmark file that lets the receiver know where it left off from the last pull. Is there a slow link between the receiver and the data source? Is the data source really active in the event log? Could it be that it takes the full (10 min?) to pull the logs down?