Q: What SCSP settings/features are available to manage the amount of logs that are retained on the agent computer?
A: Users can manage the following aspects of agent log files via console controlled configuration settings:
Rotation of log files by size or schedule
- Transport of the compressed log files to the server. This also includes tracking the log file attributes (agent name, filenames, sizes, checksums, and event stats) in the database.
- Deletion control of agent log files once processing is completed. The default setting is to NOT delete the log files. The customer can implement their own log retention scheme. Enabling the automatic cleanup feature will cause the agent log files to be deleted once processing (ie, the compressed log file transmitted to the server) is completed.
- Logging threshold control. These settings can limit the recording of new event records based on disk space considerations. Use these settings to keep SCSP from consuming too much available disk space when writing log data.
A simple way for the customer to implement custom retention control for agent log files is as follows:
- Build a script that deletes agent log files older than N days (or whatever custom retention scheme is desired)
- Install the script on the agent. Enter the script pathname in the SCSP commands.txt file on the agent (C:\Program Files\Symantec\Critical System Protection\Agent\IDS\system. The commands.txt file controls which script/binaries a SCSP policy is allowed to execute locally. Typically, this commands.txt file is defined once and installedcopied to the agent along with the custom scripts.
- Build a detection policy that executes the script on a scheduled basis.