- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Selective Log Retention
Selective log retention provides flexibility in managing your log retention. You can define up to three custom retention tiers, with independent retention periods and configure how they will be enforced. You can then create retention policies and assign them to a retention tier for enforcement. You can define selective log retention policies that free up storage space to help ensure you can retain your most valuable log data for the necessary duration. You can also define policies to purge noisy or less important log data sooner.
As incoming logs are ingested, if they meet the criteria defined in the selective retention policies, they are tagged for those policies. The Selective Log Retention page provides an overview of the policies that are defined, the retention tier each policy is associated with, and a breakdown of what percent of your log data is stored in each tier.
Note
You must have a global retention policy defined before you can configure selective log retention. For more information, see Global Log Retention.
For more information about using selective log retention, see these sections below:
Navigate Selective Log Retention Settings – Provides information about the settings page.
Overview of Selective Log Retention Policy Configuration – Provides an overview of the steps necessary to configure a policy.
Navigate Selective Log Retention Settings
The Selective Log Retention page is available from Settings in the Exabeam Security Operations Platform. The page contains several important areas that you should be familiar with. They are shown in the following image and described in the numbered points below.
The top panel provides a comprehensive overview of the licenses and policies affecting your log data retention, including:
Your licenses – Shows a capacity breakdown according to your own licenses, including Search (hot retention), Long-term Search, and Long-term Storage.
Logs by retention policy – Shows what percentage of your logs is in each type of retention policy, including global retention and any selective retention tiers you have defined.
Selective retention tiers – Shows the definition of each selective retention tier currently configured.
Global retention – Shows the definition of the global retention policy currently configured.
The middle panel provides the following options:
Search – Use the search field to find specific retention policies in the bottom panel.
Edit retention tiers – Click to open the Define selective retention tiers dialog box where you can edit the individual retention tiers. For more information, see Define Selective Retention Tiers
Add new policy – Click to open the New selective retention policy dialog box where you can create additional policies and associate them with selective retention tiers. For more information, see Add Selective Retention Policies
The bottom panel lists all of the selective retention policies that are currently configured. Each row shows a different policy and displays the following information:
Policy –Displays the name of the policy and the conditions defined for it. These conditions determine which incoming logs are tagged for the policy.
Retention Tier – Displays the retention tier the policy is associated with. To show only the policies that are associated with specific tiers, click the filter icon () in the column header, select tiers, and click Apply. To remove the filter, click Clear ().
Status – Indicates whether the policy is enabled or retired. To show only the policies that are in a specific status, click the filter icon () in the column header, select a status, and click Apply. To remove the filter, click Clear ().
Date Created – Shows the date that the policy was created.
Date Retired – Shows the date the policy was retired. This is the date when the policy no longer tags new log data. If the policy is not yet retired, the value
Ongoing
is displayed.Expiration – Shows the number of days remaining until the last log, that is tagged for a retired policy, will expire.
Options () –
Duplicate policy – Create a copy of a specific policy. This option is available only for retired policies.
Retire policy – Retire the policy so that no additional logs are tagged for this policy. The retired policy continues to be visible until the last log that is covered by that policy is purged. Then the retired policy is deleted from view.
Note
Retiring a policy does not affect events that have already been ingested. Those events will be retained according to the retired policy but newly-ingested events will not be covered by the retired policy.
Overview of Selective Log Retention Policy Configuration
To access the Selective Log Retention page, log into the Exabeam Security Operations Platform and click Settings . Under Data Retention, select Selective Retention. The Selective Log Retention page opens. If you have not yet defined any selective retention tiers or policies, the bottom of the page looks like the following.
There are three main steps to configuring selective log retention policies:
If you do not already have a global log retention policy configured, or you want to edit the policy, click Define on the Define global retention policy step. For more information about defining a global policy, see Global Log Retention.
Define selective retention tiers in one of the following ways:
If no tiers have been configured yet, click Define in the Define your selective retention periods step in the bottom panel.
If tiers have already been configured, but you want to edit them or add policies, click the Edit retention tiers button to the right of the search bar in the middle panel of the page. The Define up to 3 selective retention tiers dialog box opens.
For detailed procedures about defining or editing the retention tiers, see Define Selective Retention Tiers.
Do one of the following to add selective retention policies, including creating the policy, setting the conditions it will use to tag incoming logs, and validating those conditions:
If no policies have been created yet, click Add policy in the Add your first selective retention policy step in the bottom panel.
If policies have already been created, click the + Add new policy button to the right of the search bar in the middle panel of the page. The New selective retention policy dialog box opens.
For detailed procedures about adding retention policies, setting their conditions, and validating them, see Add Selective Retention Policies.
Note
When you create a log retention policy, it can be applied only to newly ingested logs. Any existing logs retain their current retention settings.