Click the Flow Retention icon - IBM Security QRadar SIEM Version MR1. Administration Guide

The Flow Retention window is provides the following information for each retention bucket:

The Event Retention toolbar provides the following functions:

Step 4 Double-click the first available retention bucket.

Step 5 Configure the following parameters:

Table 5-14 Flow Retention Window Parameters Parameter Description

Order Specifies the priority order of the retention buckets.

Name Specifies the name of the retention bucket.

Retention Specifies the retention period of the retention bucket.

Compression Specifies the compression policy of the retention bucket.

Deletion Policy Specifies the deletion policy of the retention bucket.

Filters Specifies the filters applied to the retention bucket. Move your mouse pointer over the Filters parameter for more information on the applied filters.

Distribution Specifies the retention bucket usage as a percentage of total event or flow retention in all your retention buckets.

Enabled Specifies whether the retention bucket is enabled (true) or disabled (false). The default setting is true.

Creation Date Specifies the date and time the retention bucket was created.

Modification Date Specifies the date and time the retention bucket was last modified.

Table 5-15 Event Retention Window Toolbar

Function Description

Edit Click Edit to edit a retention bucket. For more information on editing a retention bucket, see Editing a Retention Bucket.

Enable/Disable Click Enable/Disable to enable or disable a retention bucket.

By default, retention buckets are enabled. For more

information on disabling retention buckets, see Enabling and Disabling a Retention Bucket.

Delete Click Delete to delete a retention bucket. For more information on deleting retention buckets, see Deleting a Retention Bucket.

Table 5-16 Retention Properties Window Parameters Parameter Description

Name Type a unique name for the retention bucket.

Keep data placed

in this bucket for From the list box, select a retention period. When the retention period is reached, flows are deleted according to the Delete data in this bucket parameter. The default setting is 1 month. The minimum is 1 day and the maximum is 2 years.

Allow data in this bucket to be compressed

Select the check box to enable data compression, and then select a time frame from the list box. When the time frame is reached, all flows in the retention bucket are eligible to be compressed. This increases system performance by

guaranteeing that no data is compressed within the specified time period. Compression only occurs when used disk space reaches 83% for payloads and 85% for records.

The default setting is 1 week. The minimum is Never and the maximum is 2 weeks.

Delete data in this

bucket From the list box, select a deletion policy. Options include:

• When storage space is required - Select this option if you want flows that match the Keep data placed in this bucket for parameter to remain in storage until the disk monitoring system detects that storage is required. If used disk space reaches 85% for records and 83% for payloads, data will be deleted. Deletion continues until the used disk space reaches 82% for records and 81% for payloads.

When storage is required, only events that match the Keep data placed in this bucket for parameter are deleted.

• Immediately after the retention period has expired - Select this option if you want flows to be deleted immediately on matching the Keep data placed in this bucket for parameter.

The events are deleted at the next scheduled disk maintenance process, regardless of free disk space or compression requirements.

Description Type a description for the retention bucket. This field is optional.

Using Event and Flow Retention Buckets 77

Step 6 Click Save.

Your flow retention bucket is saved and starts storing flows that match the retention parameters immediately.

Managing Retention

Buckets After you configure your retention buckets, you can manage the buckets using the Event Retention and Flow Retention windows.

This section includes the following topics:

• Managing Retention Bucket Sequence

• Editing a Retention Bucket

• Enabling and Disabling a Retention Bucket

• Deleting a Retention Bucket

Managing Retention Bucket Sequence

Retention buckets are sequenced in priority order from the top row to the bottom row on the Event Retention and Flow Retention windows. A record is stored in the first retention bucket that matches the record parameters. You can change the order of the retention buckets to ensure that events and flows are being matched against the retention buckets in the order that matches your requirements.

To manage the retention bucket sequence:

Step 1 Click the Admin tab.

Step 2 On the navigation menu, click Data Sources.

Step 3 Choose one of the following options:

Current Filters In the Current Filters pane, configure your filters.

To add a filter:

1 From the first list box, select a parameter you want to filter for.

For example, Device, Source Port, or Event Name.

2 From the second list box, select the modifier you want to use for the filter. The list of modifiers depends on the attribute selected in the first list.

3 In the text field, type specific information related to your filter.

4 Click Add Filter.

The filters are displayed in the Current Filters text box. You can select a filter and click Remove Filter to remove a filter from the Current Filter text box.

Note: This parameter is not displayed when editing the default retention bucket.

Table 5-16 Retention Properties Window Parameters (continued) Parameter Description

a To manage the event retention bucket sequence, click the Event Retention icon. The Event Retention window is displayed.

b To manage the flow retention bucket sequence, click the Flow Retention icon.

The Flow Retention window is displayed.

Step 4 Select the retention bucket you want to move, and then click one of the following icons:

• Up - Click this icon to move the selected retention bucket up one row in priority sequence.

• Down - Click this icon to move the selected retention bucket down one row in priority sequence.

• Top - Click this icon to move the selected retention bucket to the top of the priority sequence.

• Bottom - Click this icon to move the selected retention bucket to the bottom of the priority sequence.

NOTE You cannot move the default retention bucket. It always resides at the bottom of the list.

Editing a Retention Bucket To edit a retention bucket:

Step 1 Click the Admin tab.

Step 2 On the navigation menu, click Data Sources.

Step 3 Choose one of the following options:

• To edit an event retention bucket, click the Event Retention icon. The Event Retention window is displayed.

• To edit a flow retention bucket, click the Flow Retention icon. The Flow Retention window is displayed.

In document IBM Security QRadar SIEM Version MR1. Administration Guide (Page 83-86)