The event data retention policies control the duration for which different types of event data are kept in the system before being deleted. Data retention is governed by a set of event data retention policies, which the Change Guardian administrator configures.
By default, the existing data retention policies are set to a minimum of 90 days. Complete the following steps to change the minimum number of days to 1:
Login to the web console. Navigate to Administration > Storage > Events.
Under Data Retention, you will see 5 default policies created. Click Edit.
Change the Keep at least option from 90 days to 1 day.
Repeat the step for all the default policies.
A retention policy is created to segregate the event into multiple data partitions in order to enhance the server performance. The policy contains a filter that is used to identify the events for which the retention policy applies and the minimum and maximum number of days these events should be kept in the system.
Login to Change Guardian web console.
Navigate to Administration page. Click Storage > Events.
Under Data Retention, click Create to create a new policy.
Specify the following:
Policy name: Set a name for the policy.
Criteria: Set the policy as per the below criteria:
(estzhour:[0 TO 2])
Keep at least: Minimum number of days to retain the policy. Set the minimum number of days to 1.
Keep at most: Maximum number of days to you want to retain the policy. A single retention policy creates a folder with the event data and the folder will be retained till the date mentioned in Keep at most option.
NOTE:
Based on the specified time criteria, Change Guardian starts to create folders named after the date of creation to store the event data.
A single event data folder can take up more than 78 GB of storage, thus taking up more space. It is recommended to consider the storage space before setting the criteria for Keep at most option. For example: If a policy is created with the Keep at least option as 1 day and Keep at most option as 15 days, Change Guardian creates 12 folders of around 90 GB in a single day. These folders will be retained for 15 days.
Repeat step 4 until you create multiple policies for 24 hours. For example:
(estzhour:[3 TO 5])
(estzhour:[6 TO 8])
(estzhour:[9 TO 11])
(estzhour:[12 TO 14])
(estzhour:[15 TO 17])
(estzhour:[18 TO 20])
(estzhour:[21 TO 23])
Restart server service by running the command:
systemctl restart sentinel.service
rcsentinel restart (6.3.1 or before)
NOTE:The file size of the events varies depending on the event size and event type.
Change Guardian uses the same data storage and retention policy technology as Sentinel. For more information, see “Configuring Data Storage” in the Sentinel Administration Guide.