Hi channel, does anybody had success collecting events for servers with a high volume of Windows events (i.e DCs) ? If so, would you be able to share what configurations you use to do so? I have tried several configurations but everything begins to behave flaky when events are over 300 EPS (or less sometimes) , if i move to something bigger (like over 1k EPS typically in WEC servers) then i run into the rocksDB issue like we talked in: https://osquery.slack.com/archives/C0FHNQ2N6/p1640173682046400 It would be awesome to hear if somebody is being able to solve this use case using vanilla osquery. We do

select * form windows_events

every 60 secs, and send that data via tls to our SIEM.