Endpoint Protection

 View Only

  • 1.  Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 19, 2014 09:56 PM

    Folks,

    In SEPM 12.1.3 where can I set the SEP client event log to be kept by the server for one year ?

    Shall I go to:

    Option A: Admin--> Server --> localhost --> Edit database properties --> log settings.
    Option B: Policies --> Virus & Spyware protection --> Antivirus and Spyware Policy (edit settings) --> Advanced Option --> Miscellaneous --> Log Handling --> Delete Logs older that .... text box ?

    which one to set ? I'm confused between those two settings above.

    how big is the file size going to be in the SQL Server back end database ?



  • 2.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?
    Best Answer

    Posted Jan 19, 2014 10:03 PM

    You want to keep the client log for a year? Any reason why?

    To have the SEPM keep the logs for a year you can do this with option A. This is where the SEPM log settings can be configured

    If you want the client itself to keep the logs for a year, follow this article to set it:

    How to manage SEP client log retention settings

    Article:TECH188992  |  Created: 2012-05-17  |  Updated: 2012-05-25  |  Article URL http://www.symantec.com/docs/TECH188992

     

    See this for an explanation on your option B above

    Modifying miscellaneous settings for Virus and Spyware Protection on Windows computers

    Article:HOWTO81014  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO81014

     

    The file size will vary depending on how many clients you want to do this for and how many events they have in the logs...



  • 3.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 19, 2014 10:21 PM

    Brian,

    Thanks for the reply. It is part of the PCI-DSS compliance requirement, I need to retain for one year in the SEPM database (SQL Server side), not in the client.

    So in this case, I was guessing that option B because it is clearly stated in the policy.

     



  • 4.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?
    Best Answer

    Posted Jan 19, 2014 10:23 PM

    In that case than option B should work for the virus and spyware logs.



  • 5.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 19, 2014 10:32 PM

    Thanks Brian.

    Do I need to set this value as well or just the one in the policy on Option B is enough ?

    SEP-Logs.JPG



  • 6.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?
    Best Answer

    Posted Jan 19, 2014 10:33 PM

    That pertains to risk events (infections), so it just depends on if you're required to keep that as well. If so than yes



  • 7.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 19, 2014 10:43 PM

    Cool, many thanks Brian.



  • 8.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 19, 2014 10:53 PM

    Glad to help, John.

    Take care.



  • 9.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 20, 2014 11:08 AM

    Option B has nothing to do with database, only with logging on clients. That's what the online help says:

    The option does not affect any events that the clients send to the management console. You can use the option to reduce the actual log size on the client computers.

    If any, option A is the way to go, however why don't you consider external logging? In a previous thread of you Beppe explained that the maximum logs retention in SEPM is 90 days, so you have to do it this way.



  • 10.  RE: Which settings to endure that the Client Antivirus event is kept 1 year on the SEPM DB ?

    Posted Jan 20, 2014 04:31 PM

    Ah yes, many thanks Greg.

    I'll reduce the option on Option A into just 30 days (to reduce disk space on the client) while on the Option B I will increase it into 1 year.