AnsweredAssumed Answered

Retention Rules & Purge logs from Archiver

Question asked by Omar Garcia Gilio on Oct 4, 2019
Latest reply on Nov 12, 2019 by Sravan Kumar Koneti



I need to filter logs to be storage on Archiver. I need to disscard any log from device ip and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep any log that start with 'security' word and finally keep all the rest of the logs.

So far I got this rules (in that order):


1 device.ip !=
2 device.type != 'winevent_nic'
3 device.type = 'winevent_snare' && begins 'security'
default *


I wonder if that set of rules gonna work the way I want. Also I need to purge log, older than 3 years, from Archiver (from specific Ip device or device type).