We are planning and designing Windows event forwarding architecture for Security opeation Center. In this structure, logs are collecting with WEF pushing mode from Windows servers to wef servers. What happens if wef server is disconnected in this arcitecture? Will log lose? After the disconnecting and repairing connection, waiting logs for collecting from clients to wef server by wef will be collected complete? How will be realized this architecture for complete log collecting by wef on wef server?
