i would like to know what peoples recommedations are for the time to keep events. I have 1 hour ASCI set and 3 products being managed. I have 12,000 systems being managed. I do not want to delete crucial events , but want to delete stuff that is not important. Probably average 4.5 events per client per day
What is the recommended number of events to keep , how many millions before things get slow?
Ideally keeping events for a year would be best, to be able to trace back out-breaks- abuse etc surely?
I read McAfees sizing documents for EPO and it talks about number of systems that can be managed, and concurrent usage of the dashboards. In the test, they have 50,000 systems, but only 6,000,000 events. With every system in there say having a 1 hour ASCI and 4 events per client per day each, that is only 30 days worth of infomation.