Archiver: Rule Definition Dialog

Document created by RSA Information Design and Development on Nov 23, 2016
Version 1Show Document
  • View in full screen mode
  

On the Administration > Services > Config view > Data Retention tab of an Archiver, Administrators can define the criteria for log retention and storage. In the Rule Definition dialog, which is accessible from the Retention Rules section, you can define retention rules to use for your storage collections.

Procedures related to this dialog box are described in Step 3. Configure Archiver Storage and Log Retention and Define Retention Rules.

Rule and Query Guidelines presents the guidelines for all queries and rule conditions in Security Analytics Core services.

To access the Rule Definition dialog: 

  1. In the Security Analytics menu, select Administration > Services.
  2. Select an Archiver service and ic-actns.png  > View > Config.
  3. In the Services Config view for the service, click the Data Retention tab.
  4. In the Retention Rule section, click ic-add.png or ic-edit.png.
    The Rule Definition dialog is displayed.

RuleDefEx1.png

The following table describes fields in the Rule Definition dialog.

                     
FieldDescription
NameSpecify a unique name for your retention rule. For example: ComplianceDevices
ConditionSpecify the conditions for the type of logs that you want to include in the collection.

All sting literals and time stamps must be quoted. Do not quote number values and IP addresses. 

For example:
device.group='PCI Devices' || device.group='HIPPA Devices'
 

Rule and Query Guidelines presents the guidelines for all queries and rule conditions in Security Analytics Core services.

CollectionSelect the collection on which you want to apply this rule. For example: Compliance
Previous Topic:Collection Dialog
You are here
Table of Contents > References > Data Retention Tab - Archiver > Rule Definition Dialog

Attachments

    Outcomes