I tried to get the log forwarder working, and it just spiked my CPU to 100% and would never give it back.
Before you got deploying it, give it a test run to see how it does for you.
I'm running Snare without any problems right now.
No issues running the Log Forwarder on my test boxes. (The only major deployment concern I have is making sure .net 2.0 is installed on all the servers.)
I have many instances of Snare installed without issue, with the exception of Snare Epilog. Epilog is problematic.
Comparing Snare to SW Log Forwarder, I think the SW Log Forwarder is simpler and much more intuitive. SW should get kudos' for putting together a good, basic product. The only shortcoming I really see in the SW Log Forwarder is a lack of wild card support / regex support.
Otherwise, one of my internal customers has a very specific requirement and the SW Log Forwarder would be perfect for the job, - but knowing how my customers are, I'll probably end up installing a Splunk forwarder instead. (SW Log Forwarder = Scalpel, Splunk Forwarder = Swiss Army Knife.)