Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to make sure that SEPM log is saved for at least 12 months ?

Created: 02 Sep 2012 • Updated: 04 Sep 2012 | 12 comments
This issue has been solved. See solution.

Can anyone please assist me to configure the SEPM to retain the incident in the past 12 months for security compliance purpose ?

What I'd like to ensure is that all anti-virus mechanisms are current, actively running, and generating audit logs

Which is keeping the audit logs to provide the ability to monitor virus activity and anti-virus reactions. It is imperative that anti-virus software be configured to generate audit logs and that these logs be managed in accordance which specifies AV logs must be retained for 12 months with the latest 3 months immediately available.

Thanks 

Comments 12 CommentsJump to latest comment

pete_4u2002's picture

you need to configure the log retention settings in SEPM.

login into SEPM console --> Admin --> Server --> database server ---> click on edit Database properties ---> log settings and configure the days and the increase the number of events.

Note that DB size might be huge becuase of this settings. Hence you may need to select the box with maximum storage.

Mithun Sanghavi's picture

Hello,

I agree with pete's comment above.

You could Increase the Log size which are maintained in the Database by

SEPM console >> Admin >> Servers >> Local Server and Click on Edit Site Properties >> Log settings

Also, check this Article on How to manage SEP client log retention settings in SEP 12.1

http://www.symantec.com/docs/TECH188992

You could also create an External Logging and Export log data to a Syslog server

Admin-> Servers-> Local Site -> Configure External Logging

Check this Threads: 

https://www-secure.symantec.com/connect/forums/how-configure-external-logging-ssim-symantec-endpoint-protection

https://www-secure.symantec.com/connect/forums/external-logging-syslog-server

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi John,

Please go through following screenshots to get better idea.

Location of logs:

Log retention period:

As Pete said, it would increase the database size heavily.First make sure SEP installed drive is having  sufficient disk space.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

pete_4u2002's picture

the above screen capture are for SEP 11, John, can you let know what's the version you using?

Ashish-Sharma's picture

 Hi,

You will be increase Log Setting

Increase log retention (Admin > Servers > Database under Local Site > Edit Database Properties > Log settings)

Symantec Endpoint Protection (SEP) Sizing and Scalability recommendations

http://www.symantec.com/business/support/index?page=content&id=TECH123242

HI Peta,

I think John Are Using SEP client 12.1 RU1

Check this thread raised by john..

http://www.symantec.com/connect/forums/sep-client-121-ru1-upgrade-121-ru1-mp1

Thanks In Advance

Ashish Sharma

Beppe's picture

Hi,

not sure someone mentioned that the maximum logs retention in SEPM is 90 days. If you need more, you have to consider the external logging features and handle the retention in your external logging server.

However, rather than posting steps that can be found in the manuals, I'd like you to think again about your needs, not sure you have considered the impact of storing 12 months of logs (or just the max 3 months in the SEPM):

- you will need more disk space for that

- performance of activities related to logs (dashboards, reports, notifications, etc.) will go down, especially if we are talking about thousands of clients; if you don't have a proper hardware for that, there's the risk that you will wait minutes just to see the current status of your systems

- in IT (and even more in IT security), 12 months are a lot, are you 100% sure that an event happened one year ago is still useful? If yes, why? Depending on what you have in mind, are you sure that this 1-year audit can't be the sum of monthly audits rather than creating it from the raw data?

Regards,

Giuseppe

SOLUTION
John Santana's picture

Many thanks for the reply Beppe,

SO by redirecting it to the SYSLOG server like Tripwire server, can all of this Symantec report configured to be dumped into the Tripwire Log Center server (acting as the syslog) ?

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

Beppe's picture

Hi John,

Symantec reports are just the results of queries against the Database and formatted in a proper way, these things can't be forwarded to a logging server (unless you export/import them manually).

SEP can be configured to send the raw logs to the external logging server, reports based on them should be run there.

Regards,

Giuseppe

Chetan Savade's picture

Hi,

For SEP 12.1 location is as per below:

Virus & Spyware Proection--> Miscellaneous --> Log handling

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

John Santana's picture

@Chetan,

So by configuring the external syslog server, it should give the same result as setting the SEPM policy as above ?

What I need is to list hte history for about one year due to the strict regulation of Payment Card Industry (PCI Compliance).

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

pete_4u2002's picture

yes, the client sends it logs to SEPM, the SEPM will be sendingthe same information to syslog server the one you configured to export.

check the implementation guide.

John Santana's picture

Ah that will be great.

Many thanks for the clarification, so in this case I'll revert back the value into 60 days as the default, then I must redirect all of the logs into the proper syslog server rather than upgrading and storing the logs into the SEPM database because there is no way to recover the data after 1-2 years.

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.