On the Administration > Services > Config view > Data Retention tab of an Archiver, Administrators can define the criteria for log retention and storage. In the Collection dialog, which is accessible from the Collections section, you can define individual storage collections to use for different log types. For example, you may want to create collections for compliance reasons or to selectively retain critical logs.
Procedures related to this dialog box are described in Step 3. Configure Archiver Storage and Log Retention and Configure Log Storage Collections.
To access the Collection dialog:
- In the Security Analytics menu, select Administration > Services.
- Select an Archiver service and > View > Config.
- In the Services Config view for the service, click the Data Retention tab.
- In the Collections section, click .
The Collection dialog is displayed.
The following table describes the fields in the Collection dialog.
|Collection Name||Specify a name for your collection, such as Compliance, MediumValue, or LowValue.|
|Hot Storage||Specify the maximum size or percentage of hot storage to use for this collection. The free space available to use for hot storage and the total hot storage are shown next to this field. |
When the size of the logs reach the maximum hot storage size, the logs are removed or they roll to the next available storage tier (warm or cold).
|Warm Storage||(Optional) Specify the maximum size or percentage of warm storage to use for this collection. The free space available to use for warm storage and the total warm storage are shown next to this field. |
When the size of the logs reach the maximum warm storage size, the logs are removed or they roll to available cold storage.
|Cold Storage||(Optional) Specify whether to use cold storage for this collection. If you use cold storage for the collection, logs outside of the specified size and retention limits roll over to cold storage. If you do not use cold storage, logs outside of the specified size and retention limits are removed.|
|Retention||(Optional) Specify the number of days that logs are retained before they are removed or rolled over to cold storage. |
For Hot and Warm Storage, size and retention period settings for a collection can override each other based on which criterion (size or time) is satisfied first.
|Compression||Specify the type of compression to use for meta and raw logs in the collection. You can compress the meta and raw logs using GZIP or LZMA to save space. GZIP is very fast at compressing and decompressing, but it does not compress as well as LZMA. LZMA offers better compression at a cost of decompression speed (roughly three times slower than GZIP). Compression ratios are highly dependent on your data.|
The default compression is GZIP.
|Hash||Specify whether to enable or disable hash. When enabled, the hash algorithm is used to verify the data integrity of the files being saved. By default, the only data being hashed is raw logs and the hash files are saved in the same directory as|
Note: When decreasing collection storage allocations or lowering retention time, it may take several minutes to hours for the data to move and space to become available depending on the amount of moving (rolling) data. The default times are every 20 minutes for a size roll and every six hours for a time roll.