- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Global Log Retention
Global log retention enables you to manage a log retention policy that applies to data in both Long-term Search and Long-term Storage. Setting the appropriate retention policy can optimize your search and storage capacity and can help to ensure that valuable logs are stored for the proper duration. Global log retention settings allow you to explicitly define the retention for your log data and enforce these retention settings.
Global log retention does not determine how Threat Center logs are retained. Beginning on April 1, 2024, logs related to Threat Center are excluded from this log purge. They are retained and remain available in Search for the duration of your Threat Detection default retention period.
The global log retention period is a period of time that defines how long you want to retain your data and be able to work with it. Basically, it defines the oldest age of log data stored in Long-term search and Long-term storage.
Note
Global log retention works based on approxLogTime, and not ingestion time.
License Requirements for Global Log Retention
Global log retention requires one of the following licenses and an add-on package:
Base License | Add-On Packages |
|---|---|
Exabeam Security Log Management | Long-Term Search / Long-term Storage |
Exabeam SIEM | Long-Term Search / Long-term Storage |
Exabeam Fusion | Long-Term Search / Long-term Storage |
For more information, see Exabeam Security Operations Portfolio Licenses.
Note
To configure global log retention settings, you must have Administrative permissions.
Calculating Global Log Retention
When calculating global log retention, your primary concern should be ensuring that you retain data for the length of time necessary to comply with any internal or external regulatory requirements. Different regulations (such as PCI, FedRAMP, HIPPAA), require you to retain data for specific lengths of time. After you determine your target retention goal, you can use the recommended formula below to calculate how much capacity you need to license or purchase.
The recommended formula for calculating the global log retention is:
Default Search + Long-term Search + Long-term Storage
Where:
Default Search – Is the amount of searchable storage provided with your license.
Long-term Search – Is an add-on amount of searchable storage capacity you can purchase. This data is accessible in Search and other Exabeam products.
Long-term Storage – Is an add-on of archived storage capacity you can purchase. Access to this data is provided on a limited basis. Used mostly for compliance needs.
For example, consider the following scenarios:
License | Scenario A Target Retention = 180 days (with 90 days searchable) | Scenario B Target Retention = 400 days (with 180 days searchable) |
|---|---|---|
Default Search | 31 days | 31 days |
Long-term Search | 60 days (1 TB/day = 60 TB) | 150 days (150 TB) |
Long-term Storage | 90 days (1TB/day = 90 TB) | 220 days (220 TB) |
Summary | Global Log Retention = 180 days (31 days + 60 day + 90 days) | Global Log Retention = 400 days (31 days + 150 days + 220 days) |
Overage Impact
If your subscription includes Long-term Search or Long-term Storage, you should define retention preferences. Doing so will likely lower your log storage consumption level to meet your current licensed capacity, while also meeting your compliance requirements.
If you do not set your global log retention setting, your data will not be purged, but if you are over capacity you will begin to incur the overage charges calculation set forth in our Service Level Agreement for SaaS. You can also work with your Exabeam account team to explore the best options for expanding your storage capacity.
Storage Capacity Visibility
Use the Service Health and Consumption application to view the storage capacity for your Long-term Search and Long-term Storage licenses. From this application, you can access the License View dashboard, which displays the details of your Exabeam subscription, including your licenses, add-ons, data, and retention limits. The dashboard also includes charts that compare your data consumption levels with the data amounts that you purchased.
Purged Logs
When you set global log retention, any logs beyond your configured global log retention period are purged and are not recoverable. As a result, before you set it, think about your desired log retention period. To protect you from possibly making a mistake with your calculations, there is a 7-day grace period before implementing any reduction in retention period. Logs beyond the retention period will be hidden from search but will still exist, allowing you to change the setting and recover those logs.
To safeguard against deleting logs you want to keep in Long-term Search, it is recommended that you first run a search query for the time period (using an absolute date range) beyond your intended retention settings and review the logs that would be deleted. Adjust the dates as desired in your search query until you are comfortable with the results for the logs that will be deleted.
Set Global Log Retention
When you set the global log retention period, any logs beyond the configured period are purged and are not recoverable. This retention period applies to data in both Long-term Search and Long-term Storage. So, before you set global log retention, think about your desired log retention period.
To safeguard against deleting logs you want to keep in Long-term Search, it is recommended that you first run a search query for the time period (using an absolute date range) beyond your intended retention settings and review the logs that would be deleted. Adjust the dates as desired in your search query until you are comfortable with the results for the logs that will be deleted.
Note
To configure global log retention settings, you must have Administrative permissions.
To set your global log retention:
Log on to the Exabeam Security Operations Platform.
Click Settings
and under Data Retention, select Global Retention. The Global Retention Policy page opens and displays the following information:Your storage entitlements – Shows your current license entitlements. You want to ensure the retention period you set aligns with your license consumption. Click View Consumption to open the Service Health and Consumption tool and view your current license consumption details.
Your current retention period – Shows your current retention settings, including the following:
Retention Period – The length of your currently configured retention period.
Oldest Log Retained – The date of the oldest log currently retained.
Next Purge – The date of the next scheduled log purge.
Logs to Be Purged – The date of the oldest logs that can be retained after the purge.
Note
Global log retention for all logs is based on approximate log time (
approxLogTime) and not on ingestion time. Any ingested data that is beyond your retention time will be purged automatically.
Click Edit retention settings. The Edit your retention period dialog box opens.
On the left, click the drop down arrow in the Retention period field to select a new retention period. If the retention period you want is not listed, select the Custom option and enter a value in days, weeks, months, or years. The retention period must be at least 31 days but not more than 10 years.
Note
Make sure you set the retention period to remain aligned with any internal and external audit or compliance requirements. The following formula can be used to calculate what the retention period will include, according to your licensed capacity:
Global Log Retention = Default Search + Long-term Search + Long-term Storage. For more information, see Calculating Global Log Retention.
When you change the retention period, the impact to your current retained logs is displayed on the right, both in a visual graph (see the example images below) and by the following date fields:
Oldest log retained currently – The date of the oldest log currently retained.
Oldest log retained after new setting is applied – The date of the oldest log after the new retention period settings are applied. Any logs with an Approx Log Time older than this date will be purged.
Change in retention period – The number of days by which the retention period is changing.
Next purge – The date on which the next purge related to the retention period change will take place. A reduction in retention period will only take effect after a seven day grace period. An extension to the retention period takes effect immediately, and does not affect the next purge date.
Retention Period Change Examples:
Example of a reduced retention period
Note
Notice the New Retention limit label that indicates where the new retention period ends vs. the Current Retention limit label on the left end that indicates where the retention period currently ends. After a seven-day grace period, any data in the storage period between the dates of the New Retention limit and the Oldest log will be purged.
Example of an extended retention period
In the Initial purge notification field, click the drop down arrow and select an option for how far in advance you want a notification before logs are purged.
When you are satisfied with the changes you've made, click Save and apply changes.
If you have reduced the retention period, Exabeam applies your global log retention settings after a 7-day grace period. During the grace period, current settings remain active. After that grace period, if a log exceeds the global log retention period that you have set, that log will be purged. This applies to any log stored with Long-term Search or Long-term Storage.
For more info on visibility for purged data, see the Service Health and Consumption documentation.