2 Replies Latest reply on Oct 21, 2015 3:47 PM by hattoja

    How have you fine-tuned your LEM Event Distribution Policy?

    hattoja

      I'm really curious to see what others have done to cut down the amount of unnecessary noise that LEM is pulling in?  I've just started to do a thorough review of what we really need to capture.  I know that having well-defined local or domain audit policies on the systems reporting to LEM is probably a better approach, but not always...and sometimes we gotta work with what we got!

       

      So - what have you all done to your Event Distribution Policy to cut down the noise?  Let's all keep in mind that every environment is different and not everything will help everyone equally, or at all.

        • Re: How have you fine-tuned your LEM Event Distribution Policy?
          mark88

          We have a fairly small deployment (~15 million events per day) so haven't needed to tweak any settings in Event Distribution Policy as yet, but I'm keen to expand our deployment and find out what others have done along this line. 

          • Re: How have you fine-tuned your LEM Event Distribution Policy?
            hattoja

            I can start...

             

            Around 50% of our events were ObjectAudits.  I picked apart sample after sample and tried to find how these events could be useful to us in any way, and couldn't think of a single use case for a rule that would be accurate or helpful.  So, after turning object auditing off in the Event Distribution Policy, our LEM manager is now bringing in less than half of what it was before.  Should this stuff be logged to LEM, or even at all?  Not sure yet, we're still reviewing our domain-wide policies..but for now, it's still being logged and backed up locally (it's there if we do ever need it for whatever reason)..it's just not unnecessarily bogging down LEM.

             

            edit:  Is this a terrible idea?  If so, tell me