Endpoint Protection

Can anyone please assist me to configure the SEPM to retain the incident in the past 12 months for security compliance purpose ?

What I'd like to ensure is that all anti-virus mechanisms are current, actively running, and generating audit logs

Which is keeping the audit logs to provide the ability to monitor virus activity and anti-virus reactions. It is imperative that anti-virus software be configured to generate audit logs and that these logs be managed in accordance which specifies AV logs must be retained for 12 months with the latest 3 months immediately available.

Thanks 

you need to configure the log retention settings in SEPM.

login into SEPM console --> Admin --> Server --> database server ---> click on edit Database properties ---> log settings and configure the days and the increase the number of events.

Note that DB size might be huge becuase of this settings. Hence you may need to select the box with maximum storage.

Hello,

I agree with pete's comment above.

You could Increase the Log size which are maintained in the Database by

SEPM console >> Admin >> Servers >> Local Server and Click on Edit Site Properties >> Log settings

Also, check this Article on How to manage SEP client log retention settings in SEP 12.1

http://www.symantec.com/docs/TECH188992

You could also create an External Logging and Export log data to a Syslog server

Admin-> Servers-> Local Site -> Configure External Logging

Check this Threads: 

https://www-secure.symantec.com/connect/forums/how-configure-external-logging-ssim-symantec-endpoint-protection

https://www-secure.symantec.com/connect/forums/external-logging-syslog-server

Hope that helps!!

Hi John,

Please go through following screenshots to get better idea.

Location of logs:

Log retention period:

As Pete said, it would increase the database size heavily.First make sure SEP installed drive is having  sufficient disk space.

the above screen capture are for SEP 11, John, can you let know what's the version you using?

 Hi,

You will be increase Log Setting

Increase log retention (Admin > Servers > Database under Local Site > Edit Database Properties > Log settings)

Symantec Endpoint Protection (SEP) Sizing and Scalability recommendations

http://www.symantec.com/business/support/index?page=content&id=TECH123242

HI Peta,

I think John Are Using SEP client 12.1 RU1

Check this thread raised by john..

http://www.symantec.com/connect/forums/sep-client-121-ru1-upgrade-121-ru1-mp1

Hi,

not sure someone mentioned that the maximum logs retention in SEPM is 90 days. If you need more, you have to consider the external logging features and handle the retention in your external logging server.

However, rather than posting steps that can be found in the manuals, I'd like you to think again about your needs, not sure you have considered the impact of storing 12 months of logs (or just the max 3 months in the SEPM):

- you will need more disk space for that

- performance of activities related to logs (dashboards, reports, notifications, etc.) will go down, especially if we are talking about thousands of clients; if you don't have a proper hardware for that, there's the risk that you will wait minutes just to see the current status of your systems

- in IT (and even more in IT security), 12 months are a lot, are you 100% sure that an event happened one year ago is still useful? If yes, why? Depending on what you have in mind, are you sure that this 1-year audit can't be the sum of monthly audits rather than creating it from the raw data?

Hi,

For SEP 12.1 location is as per below:

Virus & Spyware Proection--> Miscellaneous --> Log handling

Many thanks for the reply Beppe,

SO by redirecting it to the SYSLOG server like Tripwire server, can all of this Symantec report configured to be dumped into the Tripwire Log Center server (acting as the syslog) ?

@Chetan,

So by configuring the external syslog server, it should give the same result as setting the SEPM policy as above ?

What I need is to list hte history for about one year due to the strict regulation of Payment Card Industry (PCI Compliance).

yes, the client sends it logs to SEPM, the SEPM will be sendingthe same information to syslog server the one you configured to export.

check the implementation guide.

Ah that will be great.

Many thanks for the clarification, so in this case I'll revert back the value into 60 days as the default, then I must redirect all of the logs into the proper syslog server rather than upgrading and storing the logs into the SEPM database because there is no way to recover the data after 1-2 years.

Hi John,

Symantec reports are just the results of queries against the Database and formatted in a proper way, these things can't be forwarded to a logging server (unless you export/import them manually).

SEP can be configured to send the raw logs to the external logging server, reports based on them should be run there.