Endpoint Protection

NTP logs are disapearing, unable to see y'days logs in SEPM, how we can pull old logs

Please suggest,

NTP = Network Threat Protection (firewall and IPS)

Risk log shows virus activity while NTP will show IPS and firewall alerts.

Thank you, is there SEPM setting to keep NTP logs to configure. is NTP logs also included in risk logs or Ntp is deferent logs settings,  please suggest

They're separate logs.

Go to the Clients page >> Policies tab >> Client Log Settings

You can set the retention for your logs here

Thanks, is that above setting to keep the log retaintion on client end or in SEPM, where we can find if we need older logs, please find attached screen shot of that setting,

This is for client.

For SEPM go to Admin >> Servers >> select your DB and select Edit Database Porperties >> Log Settings. Edit everything here for SEPM retention

The maximum nuber of event entries to be kept for the NTP can be set in the database properties windows.

The number events created by the NTP per day (especially firewall) is huge. Hence, in the network with more clients, the default number of entries to be kept is easily reached with in a week (or even a day, in bigger networks)causing the old enrties to be purged. 

It is better to increase the number of entries as required.

Thank you, Which log setting for NTP here, please find the attached setting, if we need old logs how we need get that from SEPM.

When I checked yestarday from Monitor tab NTP and for attacks logs, it is not showing yestarday logs, its shows only current day, where we can see those old logs, is this can be controlled once in SEPM
 

Which log setting for NTP here, please find the attached setting, if we need old logs how we need get that from SEPM.

Most important logs are Traffic Log (firewall), Packet Log (IPS) and Security Log (Attacks, Blocking etc.).

When I checked yestarday from Monitor tab NTP and for attacks logs, it is not showing yestarday logs, its shows only current day, where we can see those old logs, is this can be controlled once in SEPM

If you look at Monitors > Logs > NTP > Attacks, you will only see, well, the attacks. Increase the time range to see more than the past 24 hours. If it is your goal to check the traffic log (firewall), you have to use the Monitors > Logs > NTP > Traffic setting.

Yes I am trying the same, y'day it was shwoing 11 attacks logs adn when I see today its swhwoing 5 logs, even I use to check 24hrs and past week, and past month time range only I can see todays logs,

Of course it's possible that the respective tables in the database reached their thresholds (10,000 lines or 60 days in your case) and database maintenance has wiped away older entries. That could be a reson for "missing" log entries.

You could increase the number of days from 60 to e.g. 90 or 120.

BTW, if you need long-time logging data, you can send your logs to a Syslog server (see Admin > Servers > Local Site > Configure External Logging) or to Dump Files.

Security Log Limit and Traffic Log Limit

Yes we have setting for 60 days to retian, when we are seeing todays reports it should include y'days 11 logs + todays entries, but that is not shwoing here, its shwoing only 5 logs. where those logs went, how we can see those.

NTP >> Attack logs , as monitor from 2 days these logs are disappearing from SEPM, Unable to see previous logs , only within 1 day logs we can see, please suggest,

Is there any Log setting need do be done on this to report previuous days logs on NTP > Attacks logs, please suggest if have any. presently we can see only 1 day logs only,

Is your DB on SQL?

Yes it is SQL, Microsoft SQL Server 2008 R2 (SP2) - 10.50.4000.0 (X64)  

Which log setting need to be incresed  here? please advise.

greg12 has given you the answer to why it's happening. You setting has xxx entries OR xxx days - whichever comes first, they will be purged. Since you're seeing less and less logs, it would appear that in your case, that Entries log are being filled up first - and fast.

If you increase the Entries value to a higher number, you should be able to see the previous data.

For long term data logging, I would suggest that it's outputting to an Syslog server where you can manipulate the data better & in your terms.

How much disk space required or it will increase approximately if value increased from 10,000 to 20,000 of secuirity log limit.

A good question, but it's diffficult to know since an entry can be small or a large data entry. I would advise that you increase it and then monitor the disk space & adjust where needed.

Thank you, increased secuirity log limit and able to see more logs but seeing disapearing previous days, any advise please.

It would appear that you're still hitting the limit, so the data must be huge. I think, based on what you've said here, you're better off wth having an Syslog server, where you can capture everything without losing any data.

Then from the Sylog server, you can write reports & gather data at any time you wish to generate the report you want to see. This is what I would set up if this happens to me.

Syslog is handy because it can capture everything without deleting anything, so you build up a better picture of the data.

Is this something you can build & set up? Details at https://support.symantec.com/en_US/article.HOWTO81169.html