LOG Settings in SEPM: how many entries/rows?
Created: 06 Feb 2013 | 8 comments
Case Scenario.
10.000 SEP 12.1 RU2 clients deployed with all features enabled.
I want to mantain 60days of logs.
What ENTRIES value I've to set?
Just to have an idea.
I've seen that If I put 10k entries I see only last 4 hours in the client activity...
Discussion Filed Under:
Comments 8 Comments • Jump to latest comment
HI,
Check this thread may be help
http://www.symantec.com/connect/forums/how-make-sure-sepm-log-saved-least-12-months
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
whats the heartbeat? you may want to increase and check the log retention.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Do you want to maintain all logs or just for a specific group? Generally, you should be able to set them to "60 days" in the database properties section.
SEP Knowledge Base
Endpoint SWAT
Savings 12 months logs are a lot of data to be saved and would also impact your SEPM performence i,e while exporting logs. You would experience a very slow time in loading home, monitors and reports or some times it would time out
Don't forget to mark your thread as 'solved' or vote with the answer that best helped you!
Secondly, it saves upto 10000 enteries not sure if there are more detections then 10000 irrespective of the days or months it wont keep longer.
Don't forget to mark your thread as 'solved' or vote with the answer that best helped you!
If i increase the value in the entries section, I think it will retain the new value set.
I've edited the properties in the DB serever via SEPM Console but dunno the approximate value to set.
The heartbeat is set to 20 minutes.
Any idea as to how much log data your clients generate?
The first section "Management Server Log Settings" is just strictly events related to the SEPM. You can check these logs by going to Monitors >> Logs and set the Log type to System and for Log content there are 5 options. You can loko thru each one. These fill up pretty quickly though.
Client Log Settings can be another large amount of data, especially if you are logging firewall traffic logs.
Risk Log Settings may be the smallest amount of data, depending on how you use them but they could be pretty large as well.
Depending on the specs of your server and DB, performance may take a hit. Do you have an option to send to syslog? This would be ideal
SEP Knowledge Base
Endpoint SWAT
Well..then default seetinfs are good enough to store that much data for 10k clients except
Traffic and Control logs..they create lots of noice and lot of data will be uploaded same with SNAC if you have it enabled.
So increase the Traffic and Control logs to say 50k or 100k to start with and check how much data can be pulled.
remember 10,000 doesnt mean you will have 10k rows in the logs it is 10k types of types as every type of log can be broken down further.
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
Would you like to reply?
Login or Register to post your comment.