Can someone clarify it SCOM ACS forwarders will still send security events to the database if the event log on the server being monitored is full. The statement below states that the event log is used for buffering, but doesn't actually say what will happen int he event it is unavailable ?!? Security Event Log Sizing The ACS forwarder sends all security events from a monitored computer to the ACS collector server in near real time. As it does so, it updates a watermark that indicates which event was last successfully sent to the ACS collector. The ACS collector server buffers the incoming events for performance and reliability. If the ACS forwarder cannot communicate with the ACS collector, security events will not be lost to ACS as long as they can be written to the security event log. Then, when communications are restored, the ACS forwarder consults the watermark and picks up sending events where it left off. In effect, the security event log is the buffer that the ACS forwarder can use if needed. For the security event log buffering process to work, the log must be of sufficient size to accommodate all the events that could be written to it in the case of a forwarder-to-collector communication failure. This is true regardless of which of the following security log retention methods is used: Overwrite events by days, Overwrite events as needed, or Do not overwrite events (clear log manually). The maximum size for the security event log in Windows Server 2003 (any edition) is 4 GB. This can be set locally in the properties of the log itself, or it can be set at the domain level for domain-joined computers in the Domain Security Policy and for all domain controllers in the Domain Controller Security Policy. Thanks in advance.

Read it again and a little more carefully. What it says is that if the acs server is not able to be reached, you won't lose the events as long as the log being monitored doesn't roll over or get filled up. ACS is not using the event log as a buffer. The event log is an event log. It either fills up, rolls over or doesn't. If the cursor used by the ACS agent gets rolled out, or reset, there will be a gap in the collected events. If the collector is not keeping up, the cursor isn't moved and can get overwritten should the log be cleared. The "fills up" issue is this - if your security log is static size, it will only hold so many messages. If you aren't clearing it adequately, then it will fill up and writes to that log will stop. Those messages are lost since they are not in the log - and thus not available to be collected. Moral - use circular logs and make sure you aren't interrupting the ACS communications if you want loss free collection of mass security events. Microsoft Corporation

Well said. if the log is full and set to not roll-over it will be... full. So no writes to log. And collector cant read messages that are not written to the log.Bob Cornelissen - BICTT (My BICTT Blog) - Microsoft Community Contributor 2011 Recipient