I was trying to create Dashboards on SIEM and by mistake instead of deleting the old dashboard I deleted ALL events from the Dashboard.
Now my challenge is that it seems as if everytime SIEM pulls events from different Data sources it deletes some miscellaneous events and I would like to find out if there is a way I can stop this from happening as I do not want eny events to be deleted?
Thanks in Advance,
What indication do you have that events are deleted?
Are there any flags?
Did you try to recover your events by requerying your Receiver(s)?
Is it possible there is a time problem with some events?
On my default Dashboard I can see an event showing files are being deleted, yesterday alone I had more than 100 files deleted.
The directory of the files being deleted is /ss1/usr/local/ess/Misc/ and I would like to find out if there is a way I can stop these files from being deleted.
New events are coming in, but every time new events come in from my Receiver more files get deleted and I am worried as I do not know what impact this will have on he system.
I am not sure if could be a problem with time on some events an need to establish that so I can stop worrying.