Is this normal (doesn't seem like it should be)?
Deleted a system from ePO that had been decomissioned and all log entries in Threat Event and HIPS are now gone as well. Obviously we'd like to keep that information.
Any ideas or help is greatly apprecaited.
I apologize but I am not able to reproduce it. The event should not be deleted once machine is deleted from the server.
The events certainly shouldn't be deleted, but it's possible you may not be able to see them any more (I realise that sounds like a nonsense sentence but bear with me.)
I assume that you can no longer see events for the deleted machine in the results of queries - is that correct? If so, are you logged on as a global admin user when you run the query? If not, try the query under a global admin account - do you see the results again?
There's a scenario where deleted machine events are hidden from non-global-admin users - I'm wondering if that's what's happening here...
Thanks for the reply. That would make sense. Howerver, I am logged in as a Global Admin, so.
It's not even just running a query (just looking at the Threat Event Logs (which is 'technically' a query of sorts I guess) it doens't show up. The only place it shows up after deletion is in the Audit Logs where it shows me deleting it.
Odd There's not really any filtering on the threat event log that should be hiding anything like this...
If you write a very simple query to search for threat events from that particular machine name, is anything shown?
Do you have access to the SQL Management Studio and are you happy running queries directly against the ePO database?
So, it get's even more weird. Client events query shows the system. Threat Events does not.
I do have access to the SQL Management Studio. What would the correct query for that be?
Thanks for the help.
Okay, that makes sense - at least it implies that there's no deliberate removal of events when a machine is deleted. (If there were, we'd be removing the product events as well.)
To see if there are any threat events at all for this machine, you could try the following query against the ePO database:
SELECT * FROM ePOEvents WHERE AnalyzerHostName = 'XXXXX'
where XXXXX is the name of the machine. (Make sure it is enclosed in the single quote marks.) If you run this query does it return anything at all?