You can only configure event journal sizes if you have an XDR, MDR, or MDR Complete license.
We store event journals on your managed Windows devices. They record activity on your devices, and you can query them with Live Discover "Endpoint" queries in the Threat Analysis Center. See Live Discover. Our default settings typically store about 90 days of activity.
You can configure the amount of space that event journals can use on Windows devices. To do this, go to Endpoint Protection (or Server Protection for servers), click Event Journals, then configure the following settings:
- Maximum journal size (MB): Enter a value between 300 and 30,000. The default is 5250.
- Maximum disk space (optional): Select an option from the drop-down list. The options are as follows: Not specified, 10%, 20%, 30%, 40%. The default is Not Specified.
If you specify both a maximum journal size and a maximum disk space, we'll use the lower of these limits.
If you select Use Default Settings, Maximum disk space (optional) is grayed out.
If you decrease the maximum journal size or maximum disk space, your devices may discard some journal data.