1 of 1 people found this helpful
Okay, there's this article:
What it doesn't tell you is "How long?" and the reason for that is that there's some trickery involved in figuring that out.
First, by default, the LEM agent will queue data until there is less than 512MB free on the disk it's installed on. So, if you have a 30GB hard-drive and 22GB are filled with Windows and programs, the agent will log about 7.5GB of data. Then it starts rotating: it'll drop the oldest data to make room for new data. (The 512MB thing is configurable, and I always hear rumors we're going to change that default someday since newer systems sorta freak out with less than 1GB free, but as of Agent 6.0 this is still the case.)
As an aside, if you do want to change this setting, do this:
- Stop the LEM Agent on the machine
- Open the %SYSTEM%\SysWOW64\ContegoSPOP\spop.conf file
- Add this line: QueueMinDiskFree=2048mb
- Restart the Agent Service
That'll set the agent to stop queuing when there's 2GB free on the disk instead of 512MB. Pick your value as you see fit.
Second, that means that "How long?" is a function of your audit policy, the average size of the events on the system in question, the frequency of those events and the size of the disk.