Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

LOG Settings in SEPM: how many entries/rows?

Created: 06 Feb 2013 | 8 comments
diabolicus23's picture

Case Scenario.

10.000 SEP 12.1 RU2 clients deployed with all features enabled.

I want to mantain 60days of logs.

What ENTRIES value I've to set?

 

Just to have an idea.

I've seen that If I put 10k entries I see only last 4 hours in the client activity...

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

whats the heartbeat? you may want to increase and check the log retention.

.Brian's picture

Do you want to maintain all logs or just for a specific group? Generally, you should be able to set them to "60 days" in the database properties section.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

la_ripper's picture

Savings 12 months logs are a lot of data to be saved and would also impact your SEPM performence i,e while exporting logs. You would experience a very slow time in loading home, monitors and reports or some times it would time out

 

 

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

la_ripper's picture

Secondly, it saves upto 10000 enteries not sure if there are more detections then 10000 irrespective of the days or months  it wont keep longer.

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

diabolicus23's picture

If i increase the value in the entries section, I think it will retain the new value set.

I've edited the properties in the DB serever via SEPM Console but dunno the approximate value to set.

 

The heartbeat is set to 20 minutes.

.Brian's picture

Any idea as to how much log data your clients generate?

The first section "Management Server Log Settings" is just strictly events related to the SEPM. You can check these logs by going to Monitors >> Logs and set the Log type to System and for Log content there are 5 options. You can loko thru each one. These fill up pretty quickly though.

Client Log Settings can be another large amount of data, especially if you are logging firewall traffic logs.

Risk Log Settings may be the smallest amount of data, depending on how you use them but they could be pretty large as well.

Depending on the specs of your server and DB, performance may take a hit. Do you have an option to send to syslog? This would be ideal

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Vikram Kumar-SAV to SEP's picture

Well..then default seetinfs are good enough to store that much data for 10k clients except 

Traffic and Control logs..they create lots of noice and lot of data will be uploaded same with SNAC if you have it enabled.

So increase the Traffic and Control logs to say 50k or 100k to start with and check how much data can be pulled.

remember 10,000 doesnt mean you will have 10k rows in the logs it is 10k types of types as every type of log can be broken down further.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.