Sending logs generated by agents

  1. In an agent group’s Monitoring tab, go to the Logs section.
  2. Choose the severity level above which logs will be sent to the following destinations:

    • Show on agent in the Help and support panel, under the Events tab of the agent's interface,
    • Show on console in the Agent logs panel on the administration console, i.e., stored in the log database.

    For example, if you choose Informational for the agent, all logs can be viewed in the agent's interface, except for Debug logs.

    Emergency and Alert logs will always be sent to all destinations. Logs that are not sent can never be read.

    If you are validating new software, a new workstation, etc., send Informational logs temporarily. During maintenance or troubleshooting, Debug logs will also come in useful.

    For more information on log severity levels, refer to the section Monitoring SES Evolution agent activity.

    To refine this global action, you can define the logs to send for each security rule. For further information, refer to the section Configuring log management.

    To configure how logs are sent to syslog servers, refer to the section Creating groups of agent handlers.

  3. SES Evolution checks the certificates of all signed applications by default and adds this information to logs. If you notice performance-related issues, enable the setting Calculate certificates only when necessary. Certificates will be checked only if security rules match the applications or drivers identified by certificates.
    We recommend that you keep the default behavior so that logs will contain as much information as possible.

  4. Choose the maximum frequency (in seconds) with which the agent's logs will be sent to the agent handler:

    • Urgent logs correspond to Emergency and Alert logs.
    • Standard logs group all other levels.

    This parameter allows you to manage bandwidth use. Urgent logs are sent every 30 seconds by default and standard logs are sent every hour (3600 seconds).

  5. Choose the frequency of the Agent status update in seconds. The agent connects automatically to the agent handler by default every 60 seconds to:

    • Send information about its status to refresh the agent group panel,
    • Retrieve new configurations, policies or updates if there are any.

    You can also manually force a connection to the agent handler and log sending by clicking on Check for updates in Protection status in the agent's interface.

  6. Logs displayed on an agent are deleted from the disk by default based on the following criteria:
    • When logs exceed 500 MB. In this case, the oldest logs will be deleted until they occupy less than 500 MB.
    • When logs are older than 30 days.
      This duration can be modified in the field Delete logs older than. If this option is fully disabled, only the file size criterion will apply.
  7. Specify whether to Upload self-protection logs from agents to the agent handler. These are logs collected from the various mechanisms that protect components essential to the integrity of the agent. When this parameter is disabled, self-protection logs will remain available on agents.