Endpoint, Cloud or Log source deletion in EventLog Analyzer

Endpoint, Cloud or Log source deletion in EventLog Analyzer

Objective

You may delete a device or application from EventLog Analyzer due to any of the following reasons:
  • As the device or application auditing is no longer used or required for auditing
  • Misconfigured the device with different log format.
  • Device Decommissioned
  • To free up license
  • To free up storage
This article offers a detailed information on how and when to delete the device, what happens when you delete a device from EventLog Analyzer.

Prerequisites

  • Access to EventLog Analyzer user interface as administrator.
  • Awareness and knowledge about the compliance and security needs in auditing the log source.

Steps to follow

  1. Understand how deleting a device works.
    1. Once you delete a device in EventLog Analyzer user interface, all its associated configuration like Custom reports, parsing rules, detection rules, will be deleted from the database.
    2. Raw logs (live logs that are data stored in elasticsearch) will be removed only based on the configured Retention Settings.
    3. When a device or application is deleted, archive entry that includes file names, location(s), timestamp will be removed from the database. This will not remove the actual archive files even based on archive retention. Those files can be manually removed from the file system.
    4. We recommend deleting a device only when you no longer need the device or application to be audited for your compliance and security.
  2. When you misconfigured a device, you can perform the following actions based on the below case.
    1. Case 1: Device or application added as a different log format and logs are yet to collected or just collected.
      1. If the log are just collected, if you are alright for the data loss, you can proceed with next step. or refer Case 2
      2. If the logs are yet to be collected,
  • For syslog devices, you can update the log type if needed.
    • Navigate to Settings >> Log source configuration >> Devices >> Syslog device.
    • Locate the device and Select Edit/update
    • Update the Log source type value from the list and click Update.
       
  • For Applications and other devices, you can delete the device and re-configure the device to have the source logs collected in required format.
NOTE: For windows devices, you can enable Historic log collection to collect all the Application, Security and System events from the Event Viewer while onboarding the device. Refer  How to collect historic logs from Windows devices in EventLog Analyzer
    1. Case 2: Device or application added as a different log format and logs are collected for a while.
      Click here to contact Technical support with the following details to review the case and check on the feasibility:
      1. Screenshot of Archive files name of the respective log source.
      2. Number of archive files available in the location.
      3. Build number of EventLog Analyzer.
      4. Current log format and Required Log format
  1. To free up the license, you can consider to perform the following based on the cases.
    1. Case 1: The device or application is not longer needed for auditing requirement or security analysis.
      1. Navigate to Settings >> Log source configuration
      2. Select the appropriate category and locate the device or application.
      3. Select the entry and choose delete to remove the source and its respective configuration.

NOTE: Once you delete the source, all the configurations will be removed, however using the archive files, you can load the archives anytime to view the data. Archives can be removed manually from the archive location. You can also consider the Case 2.
    1. Case 2: The device or application is needed for auditing or security analysis for a period of time, however, the current and future logs are no longer required.
      1. You can Disable the device instead of deleting it. Disabling the device will free up the license and pause the log collection attempts from the application.
      2. Navigate to Settings >> Log source configuration
      3. Locate the category and the device/application.
      4. Select the entry and choose Disable
NOTE: Disabling the device will free up the license and retain all the configurations. You can load the data from Raw live logs, archives etc.
NOTE: Decommissioned devices will be auto flagged with status as decommissioned and license will be released automatically.
4. If your intention of deleting a source is to free up storage, we recommend you to revisit the decision as the configurations will be lost during deletion. Alternatively, you can consider the following to reduce the disk space.
  1. Configure Log Collection Filter to collect only required logs.
  2. Setup multiple archive policies to split the archive policy to have different storage locations with different archive retention settings. Refer Archive - Help document for more details.
  3. Migrate existing data to different location. Refer Data migration for more details.

Tips

  • Consider disabling a device over deleting a device as you may need the configuration for upcoming.
  • Decommissioned devices will be auto flagged with status as decommissioned and license will be released automatically.
  • Disabling the device will free up the license and retain all the configurations. You can load the data from Raw live logs, archives etc.
  • If you have accidentally deleted a device and would like to add the device, you can perform the following action to re-associate the archive entries with the same device.
    • Locate the archive files of the respective device in archive location
    • Note down the Device name value in the file name. (It can be hostname or IP address or FQDN or DNS Name)
    • Add the device in EventLog Analyzer with same Device name that you have noted in the above step.
    • Navigate to Settings >> Admin Settings >> Archive >> More and select Add Archive Entries
    • Enter the location in Archive Location and pick the device that you have added in Select Device option.
    • Click Add to add the device in EventLog Analyzer.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • How to Onboard Non-Predefined or Custom Log source in EventLog Analyzer

                      Objective EventLog Analyzer offers predefined support for various log sources. Predefined support includes built-in parsing, reports (as per market requirement), Detection Rules & Alerts. EventLog Analyzer offers extensive capability to onboard and ...

                    • How to configure log collection filters in EventLog Analyzer/Log360

                      Objective EventLog Analyzer offers log filtering capabilities, so that you can filter/remove/exclude unwanted events being collected or collect only the logs you actually need, by avoiding noisy events being collected. Filters let you include or ...

                    • How time conversion works in EventLog Analyzer

                      Objective This article explains how time conversion is handled in EventLog Analyzer while accessing log data when the EventLog Analyzer server and endpoint devices operate in different time zones. It also provides guidance on how to identify and ...

                    • Log import failure during remote log collection in EventLog Analyzer

                      Issue description EventLog Analyzer will display an error notification in the UI stating that the log import for selected files has failed. This issue will happen when EventLog Analyzer is unable to import a file during the scheduled log import ...

                    • Introduction to EventLog Analyzer

                      What is log management?  An enterprise network consists of different entities—perimeter devices, workstations, servers, applications, and more. Each entity records every activity that unfolds within it in the form of logs. These logs hold information ...

                      Related Products