Skip to main content

Exabeam SearchExabeam Search Guide

Selective Log Retention

Selective log retention provides flexibility in managing your log retention. You can define up to three custom retention tiers, with independent retention periods and configure how they will be enforced. You can then create retention policies and assign them to a retention tier for enforcement. You can define selective log retention policies that free up storage space to help ensure you can retain your most valuable log data for the necessary duration. You can also define policies to purge noisy or less important log data sooner.

As incoming logs are ingested, if they meet the criteria defined in the selective retention policies, they are tagged for those policies. The Selective Log Retention page provides an overview of the policies that are defined, the retention tier each policy is associated with, and a breakdown of what percent of your log data is stored in each tier.

Note

You must have a global retention policy defined before you can configure selective log retention. For more information, see Global Log Retention.

For more information about using selective log retention, see these sections below:

  • Navigate Selective Log Retention Settings – Provides information about the settings page.

  • Overview of Selective Log Retention Policy Configuration – Provides an overview of the steps necessary to configure a policy.

Navigate Selective Log Retention Settings

The Selective Log Retention page is available from Settings in the Exabeam Security Operations Platform. The page contains several important areas that you should be familiar with. They are shown in the following image and described in the numbered points below.

selective-log-retention.png
  1. The top panel provides a comprehensive overview of the licenses and policies affecting your log data retention, including:

    • Your licenses – Shows a capacity breakdown according to your own licenses, including Search (hot retention), Long-term Search, and Long-term Storage.

    • Logs by retention policy – Shows what percentage of your logs is in each type of retention policy, including global retention and any selective retention tiers you have defined.

    • Selective retention tiers – Shows the definition of each selective retention tier currently configured.

    • Global retention – Shows the definition of the global retention policy currently configured.

  2. The middle panel provides the following options:

    • Search – Use the search field to find specific retention policies in the bottom panel.

    • Edit retention tiers – Click to open the Define selective retention tiers dialog box where you can edit the individual retention tiers. For more information, see Define Selective Retention Tiers

    • Add new policy – Click to open the New selective retention policy dialog box where you can create additional policies and associate them with selective retention tiers. For more information, see Add Selective Retention Policies

  3. The bottom panel lists all of the selective retention policies that are currently configured. Each row shows a different policy and displays the following information:

    • Policy –Displays the name of the policy and the conditions defined for it. These conditions determine which incoming logs are tagged for the policy.

    • Retention Tier – Displays the retention tier the policy is associated with. To show only the policies that are associated with specific tiers, click the filter icon (icon-filter.png) in the column header, select tiers, and click Apply. To remove the filter, click Clear (icon-clear-filter.png).

    • Status – Indicates whether the policy is enabled or retired. To show only the policies that are in a specific status, click the filter icon (icon-filter.png) in the column header, select a status, and click Apply. To remove the filter, click Clear (icon-clear-filter.png).

    • Date Created – Shows the date that the policy was created.

    • Date Retired – Shows the date the policy was retired. This is the date when the policy no longer tags new log data. If the policy is not yet retired, the value Ongoing is displayed.

    • Expiration – Shows the number of days remaining until the last log, that is tagged for a retired policy, will expire.

    • Options (SearchVisualizationEventDetails3Dots.png) –

      • Duplicate policy – Create a copy of a specific policy. This option is available only for retired policies.

      • Retire policy – Retire the policy so that no additional logs are tagged for this policy. The retired policy continues to be visible until the last log that is covered by that policy is purged. Then the retired policy is deleted from view.

        Note

        Retiring a policy does not affect events that have already been ingested. Those events will be retained according to the retired policy but newly-ingested events will not be covered by the retired policy.

Overview of Selective Log Retention Policy Configuration

To access the Selective Log Retention page, log into the Exabeam Security Operations Platform and click Settings SettingsGearIcon.png. Under Data Retention, select Selective Retention. The Selective Log Retention page opens. If you have not yet defined any selective retention tiers or policies, the bottom of the page looks like the following.

selective-log-retention-empty.png

There are three main steps to configuring selective log retention policies:

  1. If you do not already have a global log retention policy configured, or you want to edit the policy, click Define on the Define global retention policy step. For more information about defining a global policy, see Global Log Retention.

  2. Define selective retention tiers in one of the following ways:

    • If no tiers have been configured yet, click Define in the Define your selective retention periods step in the bottom panel.

    • If tiers have already been configured, but you want to edit them or add policies, click the Edit retention tiers button to the right of the search bar in the middle panel of the page. The Define up to 3 selective retention tiers dialog box opens.

    For detailed procedures about defining or editing the retention tiers, see Define Selective Retention Tiers.

  3. Do one of the following to add selective retention policies, including creating the policy, setting the conditions it will use to tag incoming logs, and validating those conditions:

    • If no policies have been created yet, click Add policy in the Add your first selective retention policy step in the bottom panel.

    • If policies have already been created, click the + Add new policy button to the right of the search bar in the middle panel of the page. The New selective retention policy dialog box opens.

    For detailed procedures about adding retention policies, setting their conditions, and validating them, see Add Selective Retention Policies.

    Note

    When you create a log retention policy, it can be applied only to newly ingested logs. Any existing logs retain their current retention settings.