Hi Nathan,
in addition to what Frank said correctly, I would start with coalescing turned off when onboarding new logsource. This is especially true for Windows based logsources as they contain many custom properties which are not checked for coalescing criteria. When you do incident forensics thats not what you want as you are missing valuable info. Same is true for many other logsources as NG firewalls, cloud based logsources etc.
If your really want to turn it on check a 24h interval of logged events first.
BTW the additional storage consumption is relatively low as date gets compressed anyway as soon as data are coming in. Unfortunately coalescing is still turned on by default afaik.
BR
Karl
------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------
Original Message:
Sent: Tue October 12, 2021 10:45 AM
From: Nathan Pavlovsky
Subject: Log Source Event Coalescing
Hi Folks,
In the place where I work, there have been some discussions regarding QRadar Event coalescing on log sources so as to optimize memory consumption for event storage.
I'm now researching the best practices & the pros and cons of doing or not such on different log source types and was wondering what you folks have to say.
Thanks in advance!
------------------------------
Nathan Pavlovsky
------------------------------