Events displayed in Reports


Big Time

I have one question regarding to USM reports. I have the default configuration in the backup (keep events during 5 days in the database), so when i make a report of certain events of the last 30 days it only shows me the events of the last 5 days.

I have searched in other posts and seems that if i increase the 5 days configuration it would impact the performance on my database, the logger keeps more than 5 days logs but it only saves the raw log not the event, so i think that it will not work if i want to generate an event report (please confirm).

So, is the only solution increse the number of days in the backup configurationn to get reports with events older than 30 days?

Thanks in advance for your help

    You can search userdata in the logger as well but not as easily as in the SIEM view. As for the events in the database, it is 5 days or 4,000,000 events, whichever is reached first. So if your events do not come in as fast, you can afford to keep events in the database for longer. You can increase the 4M threshold as well, but the performance might decrease.   


  • The logger does keep the events, but in a raw log/text format. So depending on what you want to see in the report, you may be able to use those Raw Logs reports. Have you run them and see what they look like? 
  • Thanks for your replay, I think that the raw logs don't work for me. One example, i'm parsing Windows-Snare logs to get a report of users created on the last month so i have certain userdata fields on the event to generate this custom report. 

    So the only solution in this case should increase the number of days for the events in the database?
