Video Screencast Help

multiple event archive

Created: 11 May 2009 • Updated: 21 May 2010 | 3 comments
Jaggs's picture

hi,
in SSIM 4.5 how can we configured multiple event archive? 
I have one appliance 9650. I want to create seperate archive for my each office (we have 3 office).

Comments 3 CommentsJump to latest comment

shaun_b's picture

Multiple Event Archives

http://seer.entsupport.symantec.com/docs/307200.htm

You can create multiple event archives to organize events into logical folders that are stored by Information Manager. You can create up to 16 archives on any appliance. Multiple event archives lets you distribute the events Information Manager receives into separate folders and across multiple appliances that are based on the criteria that you choose. For example, you can create an individual archive for each product that you monitor, such as an antivirus product, and store the events that are generated by that product in a separate archive. You can create multiple archives on a single instance of Information Manager, on an attached storage device such as a DAS. You can also spread out the archives across multiple appliances.

When you want to query the event data for further analysis, you can perform a query on any or all of the event archives that you have created. That includes the archives that are stored on separate instances of Information Manager. For example, if you have created an archive that is exclusively used for antivirus events, you can choose to search either the contents of that single archive, or any combination of archives that you want. By organizing events into individual archives, you can improve the performance of the queries that are used.

When an event is received, the event is evaluated against the filter criteria in the order that is listed for the event filters in the console. Beginning with the first filter in the list, the event is passed through the filter to see if there is a match. If a match is found, the event is stored in the archive that you have specified for that filter, and event storage is complete. If the event does not match, it moves to the next filter in the list for evaluation. If no match is found in any of the filters that you have created, the event falls into the default archive.

To create a new event archive, you use create a set of event filters that are used to distribute the events into the appropriate archive. When you define a filter that specifies an archive in which the events are stored, you define a subfolder on the server that behaves as a separate archive.

This is how you would query the multiple event archives:

http://seer.entsupport.symantec.com/docs/307184.htm

Laurent_c's picture

Note if you are running SSIM 4.5 you cannot, this is a new feature of 4.6.

Jaggs's picture

thank you Laurent for ur reply.

i will try this with 4.6 MP2