I have attempted to configure a policy to log any instances of creates/write/modifies for the hosts file on Windows machine in our infrastructure. This is being done as part of the Application and Device Control policy. The policy / configuration is able to be set in place and I can see the client logging this activity to its local processlog.log file. However if I query the database direct I get strange behaviour.
The database I am querying is "V_AGENT_BEHAVIOUR_LOG". I have set the policy above to "continue processing" but log the event as a Critical - 0 event (where it's a create/modify/write). When looking for a machine in the log file I see some of the alerts that are in processlog.log but not all. I also note that if I search the database periodically the machine I was looking for will no longer return results. Eventually after a long time it will appear again (with partial logs) and as I am searching it will disappear again.
I don't believe this is a client issue but more of a database misconfiguration. We have approximately 9000+ endpoints registered (and growing) and we are logging a lot of things from these machines.
Our client log configuration for "Control Log" is Max size 1024KB and retain for 14 days with these logs set to "Upload to management server". The log settings for the database is configured with the following Client Log Settings being Control Log Limit - 20000 entries which expires in 60 days. All other logs such as client, security and packet are 10000 entries and traffic log limit is 50000 entries.
Would it be fair to say that the control log table is saturated with information and any event that we may be interested in might actually be being removed as the number of entries coming in is just too much for the currently configuration Control Log Limit.
Outside of "tweaking" what actually gets logged from the client what is the recommended (or is there a calculation method) for what this control log limit should be set to? What are the implications from a database perspective of increasing the control log limit? Should the expiry of the client log limit be a shorter duration?