Endpoint Protection

 View Only

  • 1.  LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 11:36 AM

    Case Scenario.

    10.000 SEP 12.1 RU2 clients deployed with all features enabled.

    I want to mantain 60days of logs.

    What ENTRIES value I've to set?

     

    Just to have an idea.

    I've seen that If I put 10k entries I see only last 4 hours in the client activity...



  • 2.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 11:39 AM

    HI,

    Check this thread may be help

    http://www.symantec.com/connect/forums/how-make-sure-sepm-log-saved-least-12-months



  • 3.  RE: LOG Settings in SEPM: how many entries/rows?

    Broadcom Employee
    Posted Feb 06, 2013 11:43 AM
    whats the heartbeat? you may want to increase and check the log retention.


  • 4.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 11:47 AM

    Do you want to maintain all logs or just for a specific group? Generally, you should be able to set them to "60 days" in the database properties section.



  • 5.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 11:53 AM

    Savings 12 months logs are a lot of data to be saved and would also impact your SEPM performence i,e while exporting logs. You would experience a very slow time in loading home, monitors and reports or some times it would time out

     

     



  • 6.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 11:55 AM

    Secondly, it saves upto 10000 enteries not sure if there are more detections then 10000 irrespective of the days or months  it wont keep longer.



  • 7.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 11:59 AM

    If i increase the value in the entries section, I think it will retain the new value set.

    I've edited the properties in the DB serever via SEPM Console but dunno the approximate value to set.

     

    The heartbeat is set to 20 minutes.



  • 8.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 12:14 PM

    Any idea as to how much log data your clients generate?

    The first section "Management Server Log Settings" is just strictly events related to the SEPM. You can check these logs by going to Monitors >> Logs and set the Log type to System and for Log content there are 5 options. You can loko thru each one. These fill up pretty quickly though.

    Client Log Settings can be another large amount of data, especially if you are logging firewall traffic logs.

    Risk Log Settings may be the smallest amount of data, depending on how you use them but they could be pretty large as well.

    Depending on the specs of your server and DB, performance may take a hit. Do you have an option to send to syslog? This would be ideal



  • 9.  RE: LOG Settings in SEPM: how many entries/rows?

    Posted Feb 06, 2013 02:45 PM

    Well..then default seetinfs are good enough to store that much data for 10k clients except 

    Traffic and Control logs..they create lots of noice and lot of data will be uploaded same with SNAC if you have it enabled.

    So increase the Traffic and Control logs to say 50k or 100k to start with and check how much data can be pulled.

    remember 10,000 doesnt mean you will have 10k rows in the logs it is 10k types of types as every type of log can be broken down further.