i have a question about how ESM works. We have two event receivers in our SIEM.
Before, there was an ability to see events by each about 3 months, but now i can see events about two weeks on first receiver and only 1 week on the second.
So, why this happen and is it possible to increase maximum events number, which stoerd in ESM?
Also, if events from both receivers sent to ESM, why storage period is different between this receivers?
How are your storage pools configured for the devices?
The retention period for receivers would be determined by the time period specified in the storage pools that the receivers are assigned to.