Logging information about events for tasks and policies
Oct 23, 2023
This section offers recommendations on how to minimize the number of events for tasks and policies stored in the database of Kaspersky Security Center Cloud Console. By default, every 1000 devices have 100,000 events. If this limit is exceeded, new events overwrite old ones. As a result, critical events may disappear. Also, the Administration Server warning event named The limit on the number of events in the database is exceeded, the events have been deleted may occur. In these cases, we recommend that you follow the instructions in this section.
As a result, you will increase the speed of executing scenarios associated with the analysis of the events. Also, these recommendations help you lower the risk that critical events will be overwritten by a large number of events.
By default, the properties of each task and policy provide for storing all events related to task execution and policy enforcement. However, if a task is run frequently (for example, more than once per week), the number of events may turn out to be too large and the events may flood the database. In this case, we recommend selecting one of two options in the task settings:
- Save events related to task progress. In this case, Kaspersky Security Center Cloud Console stores only information about task launch, progress, and completion (successful, with a warning, or with an error) from each device on which the task is run.
- Save only task execution results. In this case, Kaspersky Security Center Cloud Console stores only information about task completion (successful, with a warning, or with an error) from each device on which the task is run.
If a policy has been defined for a fairly large number of devices (for example, more than 10,000), the number of events may also turn out to be large, and the events may flood the database. In this case, we recommend selecting only the most critical events in the policy settings and enabling their logging. You are advised to disable the logging of all other events.
You can also reduce the storage term for events associated with a task or a policy. The default period is 7 days for task-related events and 30 days for policy-related events. When changing the event storage term, consider the work procedures in place at your organization and the amount of time that the system administrator can devote to analyzing each event.
It is advisable to modify the event storage settings if events about changes in the intermediate statuses of group tasks and events about applying policies occupy a large share of all events in the Kaspersky Security Center Cloud Console database.