Endpoint Protection

Hello,

Our setup has 10,000+ SEP Clients reporting to the SEPM. As per policy, 1 year's logs need to be retained for analysis and scrutiny.

In order to maintain the SQL server running without being overloaded, and to make SEPM-SQL communication smooth, it has been decided that only 3 months' data would be retained on SQL at any given point in time.

Is there a way that data older than 3 months can be automatically moved over to another SQL DB, and then, retained for 9 months from that point on, to meet the policy requirement?

Thanks,
Jimmy

=-=-=

All log data would need to stay on the SEPM / DB.

You could send it to syslog or to a dump file

Hi Brian,

Didn't quite understand what you wanted to convey! Could you please elaborate?

Do you intend to say that logs can be retained on SEPM/DB, and can also be sent to a SYSLOG Server or/and a DUMP File?
 

Thanks,
Jimmy

=-=-=

There no option in the SEPM to automatically move data to another DB. Yes, you can retain logs on the SEPM for as long as wish, provided you have the space but if you don't then the best option is to use either syslog or dump to files.

You can opt for Syslog server. This would help you from what you are refferin to.

Refer:

https://www-secure.symantec.com/connect/forums/external-logging-syslog-server

We would try out the Syslog option in this regard.

Out of all logs sent to the Syslog Server, if only certain logs need to be pulled out for analysis, is there a list of IDs or the like, that can be filtered with or referred to?

Noe that I'm aware of, you need to send the logs and review from the syslog side. Most are self explanatory once you start reviewing.