What collection method for windows is the most efficient - in terms of log size
i used the RSA storage calculator to detirmine what size my data was likely to be.
windows NIC agentless size estimate is over twice the size of windows snare! why does the agentless method use so much more space than snare collection?
How much space does windows eventing for server 2008 collection use?
Warning: Unfounded hypothesis follows
Perhaps that's because enVision can compress the raw SNARE logs (text/syslog) much more than the binary contents received via the Agentless collector? The Windows Eventing service should be getting XML via WinRM, so perhaps that achieves similar compression rates to SNARE?
Look forward to the answer on this one as we're still using agentless and have no plans to move to the Win Eventing service until it's much more integrated with the enVision GUI.
There should be little/no difference between the needed space between the two windows collection methods once the logs are in the IPDB.
When envision collects agentless, it recovers the data in eventlog format then expands it to "syslog".
eventlog format is more compact that the corresponding syslog because eventlog only stores the messagetype, the message index & the the variables. To get the readable message envision finds the message format for the messagetype/index which is something like a printf format string & applies it to the eventlog.
An eventlog is thus something like "securitymessages,1020,foo,bar". If ithe format for securitymessages,1020 is "this is %s & that is %s", the log content as sent to the NIC Collector service would be "this is foo, that is bar".
When using SNARE, the expansion is done on the remote server by the SNARE agent. SNARE adds on the syslog headers but so does the agentless collector. There are just minor differences.