About configuring event aggregation in the SEPM


Article ID: 179804


Updated On:


Endpoint Protection




You configure event aggregation for client logs in two locations in the Symantec Endpoint Protection Manager (SEPM) console.

The table below describes where to configure client event aggregation and what the settings mean.




On the Policies page, Antivirus and Antispyware policy, Miscellaneous, Log Handling tab

Use this location to configure the aggregation for risk events. The default aggregation time is 5 minutes. The first occurrence of an event is immediately logged. Subsequent occurrences of the same events are aggregated and the number of occurrences is logged on the client every 5 minutes.

On the Clients page, Policies page, Client Log Settings

Use this location to configure the aggregation of Network Threat Protection events. Events are held on the clients for the damper period before they are aggregated into a single event and then uploaded to the console. The damper period helps to reduce events to a manageable number. The default damper period setting is Auto (Automatic). The damper idle period determines the amount of time that must pass between log entries before the next occurrence is considered a new entry. The default damper idle is 10 seconds.


See Configuring client log settings.