The real problem here is that once the overflow occurs, collection of those events is permanently disabled and there's no one-click way of enabling it again. It would be nice if there was a way to quickly find all the machines whose log settings had been changed and put them back the way they were before the overflow occurred. Anyone know of a way to do this, other than manually scanning for red characters in the Alerts screens?