I am in the process of building a centralized repository for which windows servers will forward event logs to.
Even though there is no known number of clients per collector, I was wondering what is the general rule of thumb for the amount of servers a single collector should handle and the amount of memory and cpu we need to allocate.
I see that a collector can also accept messages from sources in different domains which also makes me wonder how much can one server handle.
I have 5000 servers and have a feeling that a single collector servers would not be enough.
What is your take on this?