Event Journals
You can only configure event journal sizes if you have an XDR, MDR, or MDR Complete license.
We store event journals on your managed Windows, Mac, and Linux devices. They record activity on your devices, and you can query them with Live Discover "Endpoint" queries in the Threat Analysis Center. See Live Discover. Our default settings typically store about 90 days of activity.
You can configure the amount of space that event journals can use on your devices. To do this, go to My Products > Endpoint (or Server for servers), click Event Journals, then configure the following settings:
- Maximum journal size (MB): Enter a value between 300 and 30,000. The default is 5250.
- Maximum disk space (optional): Select an option from the drop-down list. The options are as follows: Not specified, 10%, 20%, 30%, 40%. The default is Not Specified.
Note
If you specify both a maximum journal size and a maximum disk space, we'll use the lower of these limits.
If you select Use Default Settings, Maximum disk space (optional) is grayed out.
Warning
These settings apply to all endpoints and servers and can't be adjusted individually. If you decrease the maximum journal size or maximum disk space, your devices may discard some journal data. Reducing these values also reduces the amount of data available to query with Live Discover across all of your devices.