Log aggreagate and summarizer
I need to understand the complete way of compressed/aggreagated logs on SEP/SEPM 12.1... Security team is asking for details regarding SUMMARIZED DATA...
I see 3 options in the console :
- On the client : Antivirus policy : "Aggregate logs events for X minutes (5min)"
- On server : database options : "Compress risk event after X days (7 days)" and "Delete compressed evetns after X days (60 days)"
What I understand is :
- clients with the same risk alerts during 5 minutes aggregate to only one risk event and push it on the SEPM server at the next heartbeat.
- Server is able to compress risk alerts that are identical after 7 days. Compression is done for each 1 hour interval. Alerts are now displayed as only one alert with 'SUMMARIZED DATA' entry for the path. Able to expand this entry to see each path.
- after 60 days, all compressed risk alerts are deleted.
My questions :
- is the 'Aggregate' client option seen as a 'compressed' one by the SEPM ? I mean, do these aggregated values are taged as SUMMARIZED DATA ? and so deleted after 60 days ? How can I check that a risk alert in the console is an aggreagated one ?
- Server is able to compress alerts after 7 days => SUMMARIZED DATA is displayed in reports but can be expanded for details. So before 7 days I have all detailed paths for each alerts ? And between 7 and 60 days a SUMMARIZED view but detailed are still available ? And finaly after 60 days alert is deleted and no more available on reports ?
- What is the interest to compress values if they are still in the database with details ?
Thanks in advance for your help.