Retention Rules & Purge logs from Archiver
I need to filter logs to be storage on Archiver. I need to disscard any log from device ip 18.104.22.168 and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep any log that start with 'security' word and finally keep all the rest of the logs.
So far I got this rules (in that order):
1 device.ip != 22.214.171.124
2 device.type != 'winevent_nic'
3 device.type = 'winevent_snare' && msg.id begins 'security'
I wonder if that set of rules gonna work the way I want. Also I need to purge log, older than 3 years, from Archiver (from specific Ip device or device type).
- archive and purge
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Hi Omar Garcia Gilio,
The retention rules work as expected. Specific ip/device logs can't be rolled over. However, you can create retention rule with Specific ip/device.type to hold recent 3 years logs going forward.