Video Screencast Help

Log aggreagate and summarizer

Created: 01 Jul 2013 | 4 comments

Hello,

I need to understand the complete way of compressed/aggreagated logs on SEP/SEPM 12.1... Security team is asking for details regarding SUMMARIZED DATA...

 

I see 3 options in the console :

- On the client : Antivirus policy : "Aggregate logs events for X minutes (5min)"

- On server : database options : "Compress risk event after X days (7 days)" and "Delete compressed evetns after X days (60 days)"

 

What I understand is :

- clients with the same risk alerts during 5 minutes aggregate to only one risk event and push it on the SEPM server at the next heartbeat.

- Server is able to compress risk alerts that are identical after 7 days. Compression is done for each 1 hour interval. Alerts are now displayed as only one alert with 'SUMMARIZED DATA' entry for the path. Able to expand this entry to see each path.

- after 60 days, all compressed risk alerts are deleted.

 

My questions :

- is the 'Aggregate' client option seen as a 'compressed' one by the SEPM ? I mean, do these aggregated values are taged as SUMMARIZED DATA ? and so deleted after 60 days ? How can I check that a risk alert in the console is an aggreagated one ?

- Server is able to compress alerts after 7 days => SUMMARIZED DATA is displayed in reports but can be expanded for details. So before 7 days I have all detailed paths for each alerts ? And between 7 and 60 days a SUMMARIZED view but detailed are still available ? And finaly after 60 days alert is deleted and no more available on reports ?

- What is the interest to compress values if they are still in the database with details ?

 

Thanks in advance for your help.

Regards

Operating Systems:

Comments 4 CommentsJump to latest comment

pete_4u2002's picture

check this link

http://www.symantec.com/business/support/index?page=content&id=TECH90856

its the client to send the data, however on SEPM it will be seen as many events the client has seen,

 

Xtof's picture

Hello,

mmm.. I still don't understand all the process on SEPM... Is the aggregate option seen as compressed values and so impacted by Summarized data ?

Regards

Rafeeq's picture

SUMMARIZED DATA  indicates grouped events of a similar nature that have been compressed

You can configure SEPM (Symantec Endpoint Protection Manager) to compress identical "risk found" events; identical risk events found within the same one-hour interval are compressed into one summary event with a count. The database settings in the SEPM site properties have been configured to delete compressed events after a number of days, 

If you look at the details of a summarized event, the File/Path section will show each folder where individual detections occurred. This is because the original events are still in the database and can be referenced by the summary event. When enough time has passed, the File/Path section no longer shows the same details. This is because the original records have been deleted based on the "Delete Compressed Events" setting. The summarized event is still a Risk Event and its deletion is governed by the "Delete Risk Events" setting.

 

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/fcab18052d50114f882574d50078a59c?OpenDocument

Xtof's picture

Hello,

I still have a question regarding this topic : is the option on client 'Aggregate log' resulting a summarized data value in SEPM or is this compressed value only depending on the "Compress risk event after..." option ?

 

Regards