Security Analytics 10.6 has new feature that will allow you to significantly reduce your storage footprint for long term log retention on the Archiver. Selective Log Retention allows you to create 'buckets' for your logs and specify differing retention periods for those buckets. This will allow you to create a bucket, or collection, for your compliance logs to keep, for example, for years. You could create a bucket for your security relevant logs to keep for six months. You could create a bucket for copious, low value logs to keep for weeks.
Previously, if you needed to keep compliance logs for years you had to keep all logs for years, whether you needed them or not. By aging out less valuable logs in shorter time frames if frees up space for your important logs allowing you to significantly extend the retention period for those logs without adding storage. You still have the options for Hot, Warm, and Cold storage with individually configurable settings per collection.
The easiest way to set up Selective Log Retention is configure rules to separate out your compliance regulation logs, such as with Event Source Groups or Device IP (device.ip), and set the appropriate, required retention period. Next, find the bulk of the low value logs by either Event Source Type (device.type) or Message ID (msg.id) and give those the lowest acceptable retention period. Lastly, configure the retention period on the default collection, which will contain all of the remaining logs. Further configuration refinement can optimize storage even more.
Let us know what you think and how it works for you!
More information can be found on RSA Security Analytics Documentation under Security Analytics 10.6 > Data Privacy Management > References > Data Retention Tab - Archiver or Security Analytics 10.6 > Host and Services Configuration Guides > Archiver Configuration Guide > Configure Archiver > Step 3. Configure Archiver Storage and Log Retention > Configure Log Storage Collections.