Not sure if I am missing somethign regarding the logging, but ever since I made a change from the default settings, my log keep growing. It used to be about 40GB, now it is 450GB in about a weeks time.
Essentially what happened was that we were at the default logging settings and with 40k endpoints, this means we are likely losing event data because the default settings with 40k endpoints is not much. As a result, we increased logging to what I would consider max entries, but limited by day. So, 999999999 entries for 2 days. However, the 2 days thing does not seem to be working. Am I missing something?
Looking in the SQL tables and converting the epoch date to real time I have 5 day old timestamps. I would think that the 2 day limit should kick in and clear these events, but maybe I am not getting it....
I spoke with support as well on this and they said the following:
There are 2 logs for each item because the SEPM writes to 1 until the limit is met according to your settings and then it will switch to the other one. This data shows that AGENT_BEHAVIOR_LOG_2 has 98,226,581 events and AGENT_BEHAVIOR_LOG_1 has 88,256,401. The limit is 999,999,999 events or 2 days whichever comes first. It seems the database is only about 5% of its potential size. If there was a day of many more events totaling closer to 1 billion then both of the tables could reflect that added size.
If your goal is to stop growth then the control log event setting should be less than 100,000,000 and traffic log should be less than 60,000,000 for this environment. That would help to maintain the database at the current size.
If your goal is to capture all the events then the database is definitely going to get much, much bigger. As I said before, there is a possibility that there are events logged that are unnecessary to your needs.
My thought is that regardless of size, after 2 days events should be cleared. Much like 10k events for 30 days does not go past 10k events, I would think that if I am at 100,000,000 of 1,000,000,000, on day 3 all events from day one are removed, but obviously not.