Retention of historical data is controlled for each persisted entity by a configuration
entry. Modify it to extend or reduce the default retention.
By default, the CMC retains 500,000 alerts. Note that retaining large numbers of alerts can
impair performance. We recommend limiting the number of alerts generated rather than retaining
more data. If you want to retain more alerts, we recommend an iterative approach of
incrementally increasing this value and evaluating the system's performance. In some cases,
you may want to send alerts to a different system using our data integration features instead
of retaining the alerts in the sensor.
Alerts retention
|
Products
|
CMC, Guardian |
|
Syntax
|
conf.user configure retention alert rows <rows_to_retain> |
|
Description
|
Set the amount of alerts to retain.
NOTE: When an alert is deleted, the related trace file is deleted too.
|
|
Parameters
|
rows_to_retain: The number of rows to keep (default: 500000) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Alerts advanced retention
|
Products
|
CMC, Guardian |
|
Syntax
|
conf.user configure retention alert.out_of_security_profile rows <rows_to_retain> |
|
Description
|
Set the amount of alerts out of security profile to retain. By default, this feature is disabled.
NOTE:
- This retention has a higher priority than
retention alert rows <rows_to_retain> and will be executed before it.
- When an alert is deleted, the related trace file is deleted too.
|
|
Parameters
|
rows_to_retain: The number of rows to keep (disabled by default) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Trace retention size
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention trace_request occupied_space <max_occupied_bytes> |
|
Description
|
The maximum traces occupation on disk in bytes. If the traces directory is memory backed, this configuration cannot
be overridden and the default value will always be used.
|
|
Parameters
|
max_occupied_bytes: Default value is half of disk size if traces storage is disk backed, 95% of available space if memory backed |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Trace retention rows
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention trace_request rows <rows_to_retain> |
|
Description
|
Set the amount of traces to retain.
|
|
Parameters
|
rows_to_retain: The number of rows to keep (default: 10000) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Trace advanced retention
|
Products
|
CMC, Guardian |
|
Syntax
|
conf.user configure retention trace_request.<generation_cause> rows <rows_to_retain> |
|
Description
|
Set the amount of traces retained considering their generation cause. By default, these options are disabled.
NOTE:
This retention has a higher priority than retention trace rows <rows_to_retain> and will be executed before it.
Moreover, These advanced retention options depend on each other, thus they must be configured all together or none.
|
|
Parameters
|
-
generation_cause: Can be any of:
-
by_alerts_high: traces generated by high risk alerts
-
by_alerts_medium: traces generated by medium risk alerts
-
by_alerts_low: traces generated by low risk alerts
-
by_user_request: traces generated by a request from the user
-
rows_to_retain: The number of rows to keep
|
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
For example, we can configure the trace retention with the following command:
conf.user configure retention trace_request 10000
and also set up the advanced retention with:
conf.user configure retention trace_request 10000
conf.user configure retention trace_request.by_alerts_high 5000
conf.user configure retention trace_request.by_alerts_medium 1000
conf.user configure retention trace_request.by_alerts_low 1000
conf.user configure retention trace_request.by_user_request 3000
Continuous trace retention size
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention continuous_trace occupied_space <max_occupied_bytes> |
|
Description
|
Set max occupation in bytes for continuous traces
|
|
Parameters
|
max_occupied_bytes: the number of bytes to keep (default: half of disk size) |
|
Where
|
CLI
|
|
To apply
|
In a shell console execute: service n2ostrace stop
|
|
Note
|
You can also change this configuration from the Web UI. |
Continuous trace retention rows
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention continuous_trace rows <rows_to_retain> |
|
Description
|
Set the amount of continuous traces to retain
|
|
Parameters
|
rows_to_retain: the number of rows to keep (default: 10000) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Link events retention
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention link_event rows <rows_to_retain> |
|
Description
|
Set the amount of link events to retain
|
|
Parameters
|
rows_to_retain: The number of rows to keep (default: 2500000) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Captured urls retention
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention captured_urls rows <rows_to_retain> |
|
Description
|
Set the amount of captured "urls" (http queries, dns queries, etc) to retain
|
|
Parameters
|
rows_to_retain: The number of rows to keep (default: 10000) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Variable history retention
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention variable_history rows <rows_to_retain> |
|
Description
|
Set the amount of variable historical values to retain
|
|
Parameters
|
rows_to_retain: The number of rows to keep (default: 1000000) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
Node CVE retention
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention node_cve rows <rows_to_retain> |
|
Description
|
Set the maximum amount of node_cve entries to retain
|
|
Parameters
|
rows_to_retain: The number of rows to keep (default: 100000) |
|
Where
|
CLI
|
|
To apply
|
In a shell console execute: service n2osva stop
|
|
Note
|
You can also change this configuration from the Web UI. |
Uploaded traces retention
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention input_pcap rows <files_to_retain> |
|
Description
|
Set the amount of PCAP files to retain
|
|
Parameters
|
files_to_retain: The number of files to keep (default: 10) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
File quarantine retention
|
Product
|
Guardian |
|
Syntax
|
conf.user configure retention quarantine number_of_files <files_to_retain> |
|
Description
|
Set the number of files to retain. When a new file is added to a sensor,
Nozomi deletes the oldest quarantined file if the file exceeds this limit and
the sensor needs to free disk space.
|
|
Parameters
|
files_to_retain: The number of files to keep (default: 50) |
|
Where
|
CLI
|
|
To apply
|
It is applied automatically
|
|
Note
|
You can also change this configuration from the Web UI. |
