Event Log Collection

  • For audit purposes we are required to maintain a history of event logs on all of our domain controllers (13) for a period of 1 year.  Where can I define how much history Kaseya is keeping in terms of Windows Application, Security, and System event logs?  I should also mention that we logging many additional items than what is normally turned on out of the box so our log files grow rather quickly.

  • Agent --> Log History Settings

  • So if I'm understanding right, I can set Event Logs to 365 on the group of computers I want to maintain that length of history for?

  • Oh wait... It appears the event logs is a global setting that applies to all computers.  I really only need the event logs for a year for the 13 domain controllers.  Any suggestions?

  • You are correct that it is a Global setting only.

  • Where do I go to review the event logs for a given machine?

  • You can view the Event Logs for a given machine by launching LiveConnect for that system, waiting for it to connect and then selecting Event Viewer.  This Global setting discussed previously is information stored in the database for reporting purposes.  So if you want to run a report on Event Logs, you would do that via the Info Center.

  • In your opinion would it be a wise choice to set the event log retention to 365?

  • NO, you'll have a MASSIVE database file if you do.

  • if long term retention is required you may want to look into 6.3 which I think will let you archive the files and keep them out of your database, this will help keep your db from corruption but allow you to still pull history data from 365 days old etc..... But if you set your rention to 365 you're going to chew through some disk space.

  • First of all, I agree with danrche's second statement.  It's really going to depend on the number of agents you're managing and how much of an issue diskspace is for you.  Mine is currently set to 365 for all my agents, just to be candid, I'm on 6.2, and don't really have any issues...knock on wood.  That said, I also don't have 10s of thousands of agents.  ;-)

  • We have 300-350 agents.  We are on version 6.3.  Where is the archive files setting located?

  • There's a database view called dbo.vNtEventLog that keeps ALL  the vents retrieved from each machine based on the retention value set.

    The view is for ALL events gathered based on Agent/Eventlog Settings , not just the ones defined within as eventset.

    The retention period is specified in Agent/Log History