Manage Retention Policies for Imported Logger Data

Not available in a SaaS environment

To manage the storage and expiration of the recently imported data from Logger, the system automatically enables the retention policy for the Logger event data. You do not need to manually direct events to a certain storage group and implement additional retention policies, but rather take advantage of the same storage rules already set in Logger.

You can update and review the retention policy strictly from the Logger interface. However, changes made to the retention policy after the archive migration has been started won't be reflected on the archives imported to the ArcSight Database.

For a non-SaaS environment

As part of the metadata migration, the tool brings in the Storage Groups and their retention information. Because in Logger the retention settings are based on days, the tool converts them to months and rounds it up as to comply with the format used by the ArcSight Database. If the Maximum Archives Age value was set to -1 for a Storage Group in Logger (meaning a disabled retention policy), the retention process for it will also be disabled in Log Management and Compliance ArcSight Recon.

For a SaaS environment

When you migrate Logger data to a SaaS environment, the system temporarily stores data in an AWS S3 bucket. For successfully migrated data, the system deletes the temporary files stored in the bucket after a month.

For data that hasn't been imported, the temporary files will be deleted from the bucket based on the ArcSight license purchased by your organization.

The retention period for data imported to the ArcSight Database will be either the Storage Group Retention value (from Logger) or the one established by the ArcSight license, depending on which one is lower.

For more information about preparing for data migration, see Installing the AWS Command Line Interface in Each Logger in the ArcSight SaaS Quick Start for Administrator's guide.