I need to know how long logs are retained on our log hybrids before being rolled off. What would be the best way to determine this?
I think its depends on the size of storage, by default, it 95% usage reached, it will start to roll over.
You can do some calculation based on the daily event log size to get the retention period.
You can enable compression if the retention period not meeting your requirement. Or add more storage or using Archiver.
If too long then you want to purge, then you can run REST script (cron job) to remove the old logs.
Can I look in Devices -> Administration -> Devices and check somewhere for dates of oldest files?
view - explorer:
what exact value we have to put for compression and encryption and after that how we can verify that now log are being compressed or encrypted, bro any idea about this compression or encryption value.
or whats the RSA best practice for compression or encryption?
you can compressed but not encrypted.
path:/database/config/packet.compression set to gzip
I don't have any best practice, but i've tested, the compression rate is quite high.
It may affect the performance both writing and reading.
okay let me try for compres. and if we check ssl at the time of device addition in SA is that provide us encryption???
Administration -> Devices -> "Your Log Decoder" -> Stats
That value is going to be the amount of logs that the system actually sees. This does not mean that is all the data you can search on.
You can get the value of the information you can search on by going to investigator then using your log concentrator to view all data. At the top left that date and time is the longest you can search to. This is controlled by your session information which links the meta to actual log data.
These numbers are likely to be way off. Mine currently shows march 23 as the meta date and January 10th for actual log data.
Retrieving data ...