If you're running a large DFS replication cluster with a large (millions) number of files, you probably have a very high turnover of both Windows Event logs and DFSR debug logs.
There are many log aggregation tools, from the freeware ELK stack and Greylog to the paid for Splunk and vRealize from VMware. The vRealize Log Insight tool doesn't have the per GB licencing model that Splunk has, but also comes up a little short on functionality in the way of pre-built "apps".
Neither have an app for DFSR but luckily it doesn't take much in Log Insight to import the DFSR logs. It's also (OVA) appliance based, so to add capacity you just deploy another appliance and join it to the cluster.
To import the DFSR logs you need to deploy the Windows Log Insight Agent to the file servers in question.
msiexec SERVERHOST=<log insight ip> /qn /i <agent msi filename>
Then once the agents are reporting into Log Insight, go to the administration page and choose management->Agents. Create a new group containing the File servers and enter this configuration
[filelog|DFSR_logs]
directory=C:\Windows\debug
include=Dfsr01000.log
event_marker=^\d\d\d\d\d\d\d\d\s\d\d:\d\d:\d\d.\d\d\d
[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}
parser=auto
This will ensure the DFSR debug logs are imported in multiline format as a datestamp is applied at the start of every new record.
