How to Increase the Log retention period on ArcSight Logger to 7 years

I am trying to configure an ArcSight Logger 7.3, RHEL 8.3 so that it retains logs for 7 years. It currently has 19TB worth of free space.

I have amended the logger.properties file and added this entry - logger.archive.space.allocated-in-gb=2284

And the default storage group configuration includes the following:

Maximum Live Data Age (Days) 345

Allocated (GB) 1250

Maximum Archives Age (Days) -1

Used (GB) 1118

I am unsure on what I need to do next as I do not want to apply misconfiguration that can corrupt the system.

  • Suggested Answer

    0  

    Hi there, so the config you have specified looks like it has set aside ~2.2TB for archives, and the rest of the space for live events.

    If Event Archiving is enabled, each day archives will be written to the archive location, and based on your settings, never deleted.

    You will currently be keeping online events for 345 days (in logger, always searchable, without having to rely on reloading archives).

    However, if you fill your 1.2TB Storage group, old events will be evicted as new ones are written, even if it is before the 345 days, so you need to keep an eye on that. Maybe configure an alert to let you know when its getting full.

    Is your intention to have online storage searchable for 7 years, or just ensure you have events stored and possible searchable over 7 years? 

    Typically customers might have 3-12 months live data, then they'd depend on archives to help you meet 7 year retention requirements for compliance. These archives can later be reactivated/searched.

    Hope that makes sense?

    Regards,

    Ian.

  • 0 in reply to   

    Exactly, Ian. Interestingly, someone would want to have searchable online storage for seven years.

    John, do you understand the difference between online storage and archives?

    Cheers,

    Daniel

  • 0 in reply to 

    Understood, I've applied the appropriate configuration the hot and cold storage groups, the explaination makes sense, so thanks for the response

  • 0 in reply to   

    It does, thanks