If it is just a simple query without correlation needed, looking for
something on a single event source, then a Reporting Alert would work.
The same thing could be done on ESA. I have some customers using the
query for the alert not directly in the r...
Do your events contain the event time in some form?Looking at the parser
code, i see that they should normally have a month, day and
timestamp.That can then be used to set the event time.
For the Node Zero (Admin Server) you should plan like 40GB Ram, ESA
about 8 - 12 and then for a Packet Hybrid or Endpoint Log Hybrid you
could allocate 8 GB RAM each.
