I had some question about SIEM need to know clearly. pls help me:
- Question 1: what is the normal restrictions for the maximum amount of data stored? how to configure?
==> my answer: I think that is Data Allocation. right or wrong?
- Question 2: when a partition will reach its maximum size?
==> my answer:
with my configuration:
maximum size will be 925 million with events? => when the partition reach 925 million events, it will be inactive and is delected? if i don't configure a storage location for inactive partitions, i will lose all events when the partition reach maximum size?
- Question 3: only have a partition for event on a system?
Thanks and best regards,