Archiver: Define Retention Rules

Document created by RSA Information Design and Development on Mar 21, 2017Last modified by RSA Information Design and Development on Mar 24, 2017
Version 5Show Document
  • View in full screen mode
  

This topic provides instructions for Administrators on how to define and order retention rules for log storage collections on an Archiver.

Retention rules specify the type of logs to be stored in the collection. In order for your log collections to gather and store log data, you must associate them with at least one retention rule. When you configure a retention rule, you specify a condition and a collection for that rule. The condition (rule definition) determines the type of logs stored in that collection.

For the condition, you can use anything that works in a regular query where clause.

Note: All sting literals and time stamps must be quoted. Do not quote number values and IP addresses.

For example, to get logs from compliance services, you can use the following condition: 

device.group='PCI Devices' || device.group='HIPPA Devices'

Rule and Query Guidelines provides additional examples.

After you define the retention rules for your collections, it is important that you specify the order of your retention rules. Security Analytics evaluates the retention rules for all of the collections in numerical order by the number listed in the Order column in the Retention Rule section of the Data Retention tab of the Archiver (Administration > Services Config view). 

ArcRetRule.png

Caution: Rule order is very important. It determines the priority for evaluating the log data for storage retention. 

Prerequisites

Before you configure your retention rules:

  • Configure total hot, warm, and cold storage
  • Configure log storage collections

Procedures

Define a Retention Rule for a Collection

  1. In the Security Analytics menu, select Administration > Services.
  2. Select the Archiver service and ic-actns.png > View > Config.
    The Services Config view of Archiver is displayed.
  3. On the Data Retention tab, in the Retention Rule section, click ic-add.png.
    The Rule Definition dialog is displayed.
    RuleDefExWinLog.png
  4. Configure the fields in the Rule Definition dialog as described in the following table:              
    FieldDescription
    Rule NameSpecify a unique name for your retention rule. It cannot include spaces. For example: LowValueWinLogs
    ConditionSpecify the conditions for the type of logs that you want to include in the collection. 

    All string literals and time stamps must be quoted. Do not quote number values and IP addresses.

    For example:
    device.type='winevent_nic' && msg.id='security_4648_security'

    Rule and Query Guidelines provides additional examples.

    CollectionSelect the collection on which you want to apply this rule. For example: LowValue. 
  5. Click Save.
    The retention rule that you define becomes associated with the collection you selected. On the Data Retention tab, in the Collections section, you can click ActionsButton.png > Select Rules  in the Actions column for the selected collection to view the retention rules associated with the collection in the Retention Rule section. 
    AssocRetRul2.png

Specify the Order of your Retention Rules

To prioritize the complete list of all of your retention rules:

  1. In the Retention Rule section of the Data Retention tab, select a retention rule and use drag and drop (or select ic-up.png Move Up and ic-down.png Move Down) to change its order in the priority list.

    ArcRetRule2.png 
  2. Click Apply to save the order of the retention rules.

Caution: Rule order is very important. It determines the priority for evaluating the log data for storage retention.

Next Step

Add Archiver as a Data Source to Broker. 

You are here
Table of Contents > Configure Archiver > Step 3. Configure Archiver Storage and Log Retention > Define Retention Rules

Attachments

    Outcomes