This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-01-12 06:32 AM

What collection method for windows is the most efficient - in terms of log size

i used the RSA storage calculator to detirmine what size my data was likely to be.

http://www.rsa.com/experience/envision/calc/

 

windows NIC agentless size estimate is over twice the size of windows snare!  why does the agentless method use so much more space than snare collection?

 

How much space does windows eventing for server 2008 collection use?

 

0 Likes
Reply
2 Replies
RSAAdmin
Beginner
Beginner
‎2011-01-12 09:10 AM

Warning: Unfounded hypothesis follows

 

Perhaps that's because enVision can compress the raw SNARE logs (text/syslog) much more than the binary contents received via the Agentless collector? The Windows Eventing service should be getting XML via WinRM, so perhaps that achieves similar compression rates to SNARE?

 

Look forward to the answer on this one as we're still using agentless and have no plans to move to the Win Eventing service until it's much more integrated with the enVision GUI.

 

David

0 Likes
Reply
PatrickHayes
Beginner
Beginner
In response to RSAAdmin
‎2011-03-30 09:22 AM

There should be little/no difference between the needed space between the two windows collection methods once the logs are in the IPDB.

 

When envision collects agentless, it recovers the data in eventlog format then expands it to "syslog".

 

eventlog format is more compact that the corresponding syslog because eventlog only stores the messagetype, the message index & the the variables. To get the readable message envision finds the message format for the messagetype/index which is something like a printf format string & applies it to the eventlog.

 

An eventlog is thus something like "securitymessages,1020,foo,bar".  If ithe format for securitymessages,1020 is "this is %s & that is %s", the log content as sent to the NIC Collector service would be "this is foo, that is bar".

 

When using SNARE, the expansion is done on the remote server by the SNARE agent. SNARE adds on the syslog headers but so does the agentless collector. There are just minor differences.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.