The evidence folder is a UNC path. You can use any UNC share for evidence storage. It doesn't have to be on the ePO server. The evidence folder, as you can see, can grow very rapidly.
The path is set in the DLP Global Agent Configuration.
i understand where the path is set, however where is the server setting for the size limit? i need to restrict the size on the server or tell it to purge after 30 days.
I do believe there are option to configure Evidence based settings in DLP Policy > Agent Configuration > Edit Global Agent Configuration. There is an Evidence Tab and a subheading of Agent Evidence Settings under which there are numerous size based control elements.
I have, so far, not been able to find a way to restrict the size of the actual Evidence share.
Hope this helps.
There is no way to limit the size of the evidence share in DLP. You could always create a new drive partition with the size you have in mind. When the drive gets full the clients will stop sending data to it until there is space available.
would be nicer if there was setting in the console. creating a new partition and waiting for it to fill up just sounds silly to me. then all the new evidence gets lost unless you cleanup the drive.
I think the point of collecting evidence is that you want it? Scrubbing evidence seems an odd thing to do, usually people want as much evidence as they can get.
If we added a size restriction, the next demand would be to scrub certain things in preference to other things etc.
Just allocate some more storage, or archive it out occasionally ;-)
Well designed systems have automatic log trimming feature, FIFO based. You still need to backup/archive those logs though.
I agree, as an aside, does Windows trim the event logs automatically yet? I can't recall.
but, here we are not talking about logs, we are talking about evidence that a policy was set to collect. :-(
It's not a bad idea though - fee free to submit it as a feature request if it's really important to you.
You consider Windows as well designed then? - yes there is option to do that.
I always like the idea to have log size fixed. It makes planning and maintenance simpler.
Log is a log. Some are almost completely unimportant, others extremely important.