Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
1
Helpful
4
Replies

Missing client event log entries in Secure Endpoint

sesec030
Level 1
Level 1

‎03-26-2024 01:32 AM

Hello,

a few days ago, we noticed that the event logs of the individual clients in the Secure Endpoint Dashboard of one of our larger customers only contain very few entries. Normally we see several dozen to 100 or even more entries there, but now in many cases there are only a single-digit number.

This is the case for the majority of the more than 1000 clients. These are not new devices, most of them have been equipped with Secure Endpoint for several years.

Does anyone here know about this phenomenon and what the cause might be? Does this possibly occur after a connector update?

Thank you for your feedback.

Labels:
0 Helpful
4 Replies 4

Roman Valenta
Cisco Employee
Cisco Employee

‎03-26-2024 06:39 AM - edited ‎03-26-2024 06:40 AM

Without further details or examples its really hard to say what you see or what you missing that was normally there. Not sure where you looking in the console.

Are you taking about Events page? If so make sure there is no filters selected and you are viewing correct time range

If you talking about the actual Dashboard heat map  the same apply here as well make sure you looking correct time and no filters are applied.

Also remember that retention policy is 30 days so everything older than 30 days will be removed. In other words lets say your compromise was 24% yesterday and today when you look you see only 5% , that means 19% of those compromise events yesterday were probably older than 30 days and got removed. This also apply to any other events under Events page

If you still think that there is issue please open TAC case and we will be more than happy to take a look

 

 

sesec030
Level 1
Level 1
In response to Roman Valenta

‎03-26-2024 07:28 AM

Hello Roman, thank you for your reply. Here is an example. Time range is 30 days, no filters are applied. This client is active almost every day. It looks like this or very similar on most of the clients. Any idea?

Thank you.

Preview file
113 KB
0 Helpful

Roman Valenta
Cisco Employee
Cisco Employee
In response to sesec030

‎03-26-2024 07:39 AM

Well that look definitely not right even in my lab I have more events per computer than what you showing. This could be isolated to your org and will have to be check internally. Can you please open a TAC case so we can address that? 

 

0 Helpful

sesec030
Level 1
Level 1

‎03-26-2024 08:07 AM

Ok, i will open a TAC for this. Thank you again.

0 Helpful
Customers Also Viewed These Support Documents