Configure retention

Retention of historical data is controlled for each persisted entity by a configuration entry. Modify it to extend or reduce the default retention.

By default, the CMC retains 500,000 alerts. Note that retaining large numbers of alerts can impair performance. We recommend limiting the number of alerts generated rather than retaining more data. If you want to retain more alerts, we recommend an iterative approach of incrementally increasing this value and evaluating the system's performance. In some cases, you may want to send alerts to a different system using our data integration features instead of retaining the alerts in the sensor.

Alerts retention

Products CMC, Guardian
Syntax conf.user configure retention alert rows <rows_to_retain>
Description

Set the amount of alerts to retain.

NOTE: When an alert is deleted, the related trace file is deleted too.

Parameters rows_to_retain: The number of rows to keep (default: 500000)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Alerts advanced retention

Products CMC, Guardian
Syntax conf.user configure retention alert.out_of_security_profile rows <rows_to_retain>
Description

Set the amount of alerts out of security profile to retain. By default, this feature is disabled.

NOTE:

  • This retention has a higher priority than retention alert rows <rows_to_retain> and will be executed before it.
  • When an alert is deleted, the related trace file is deleted too.
Parameters rows_to_retain: The number of rows to keep (disabled by default)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Trace retention size

Product Guardian
Syntax conf.user configure retention trace_request occupied_space <max_occupied_bytes>
Description The maximum traces occupation on disk in bytes. If the traces directory is memory backed, this configuration cannot be overridden and the default value will always be used.
Parameters max_occupied_bytes: Default value is half of disk size if traces storage is disk backed, 95% of available space if memory backed
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Trace retention rows

Product Guardian
Syntax conf.user configure retention trace_request rows <rows_to_retain>
Description Set the amount of traces to retain.
Parameters rows_to_retain: The number of rows to keep (default: 10000)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Trace advanced retention

Products CMC, Guardian
Syntax conf.user configure retention trace_request.<generation_cause> rows <rows_to_retain>
Description

Set the amount of traces retained considering their generation cause. By default, these options are disabled.

NOTE: This retention has a higher priority than retention trace rows <rows_to_retain> and will be executed before it. Moreover, These advanced retention options depend on each other, thus they must be configured all together or none.

Parameters
  • generation_cause: Can be any of:

  • by_alerts_high: traces generated by high risk alerts

  • by_alerts_medium: traces generated by medium risk alerts

  • by_alerts_low: traces generated by low risk alerts

  • by_user_request: traces generated by a request from the user

  • rows_to_retain: The number of rows to keep

Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.
For example, we can configure the trace retention with the following command:
conf.user configure retention trace_request 10000
and also set up the advanced retention with:
conf.user configure retention trace_request 10000
 
 conf.user configure retention trace_request.by_alerts_high 5000
 conf.user configure retention trace_request.by_alerts_medium 1000
 conf.user configure retention trace_request.by_alerts_low 1000
 conf.user configure retention trace_request.by_user_request 3000

Continuous trace retention size

Product Guardian
Syntax conf.user configure retention continuous_trace occupied_space <max_occupied_bytes>
Description Set max occupation in bytes for continuous traces
Parameters max_occupied_bytes: the number of bytes to keep (default: half of disk size)
Where CLI
To apply In a shell console execute: service n2ostrace stop
Note You can also change this configuration from the Web UI.

Continuous trace retention rows

Product Guardian
Syntax conf.user configure retention continuous_trace rows <rows_to_retain>
Description Set the amount of continuous traces to retain
Parameters rows_to_retain: the number of rows to keep (default: 10000)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Link events retention

Product Guardian
Syntax conf.user configure retention link_event rows <rows_to_retain>
Description Set the amount of link events to retain
Parameters rows_to_retain: The number of rows to keep (default: 2500000)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Captured urls retention

Product Guardian
Syntax conf.user configure retention captured_urls rows <rows_to_retain>
Description Set the amount of captured "urls" (http queries, dns queries, etc) to retain
Parameters rows_to_retain: The number of rows to keep (default: 10000)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Variable history retention

Product Guardian
Syntax conf.user configure retention variable_history rows <rows_to_retain>
Description

Set the amount of variable historical values to retain

Parameters rows_to_retain: The number of rows to keep (default: 1000000)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

Node CVE retention

Product Guardian
Syntax conf.user configure retention node_cve rows <rows_to_retain>
Description Set the maximum amount of node_cve entries to retain
Parameters rows_to_retain: The number of rows to keep (default: 100000)
Where CLI
To apply In a shell console execute: service n2osva stop
Note You can also change this configuration from the Web UI.

Uploaded traces retention

Product Guardian
Syntax conf.user configure retention input_pcap rows <files_to_retain>
Description Set the amount of PCAP files to retain
Parameters files_to_retain: The number of files to keep (default: 10)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.

File quarantine retention

Product Guardian
Syntax conf.user configure retention quarantine number_of_files <files_to_retain>
Description Set the number of files to retain. When a new file is added to a sensor, Nozomi deletes the oldest quarantined file if the file exceeds this limit and the sensor needs to free disk space.
Parameters files_to_retain: The number of files to keep (default: 50)
Where CLI
To apply It is applied automatically
Note You can also change this configuration from the Web UI.