Using the Event Retention feature available on the Admin tab, you can configure retention buckets. Each retention bucket defines a retention policy for events that match custom filter requirements. As STRM Log Manager receives events, each event is compared against retention bucket filter criteria. When an event matches a retention bucket filter, it is stored in that retention bucket until the retention policy time period is reached. This feature enables you to configure multiple retention buckets.
Retention buckets are sequenced in priority order from the top row to the bottom row on the Event Retention window. A record is stored in the bucket that matches the filter criteria with highest priority. If the record does not match any of your configured retention buckets, the record is stored in the default retention bucket, which is always located below the list of configurable retention buckets.
This section includes the following topics:
• Configuring Event Retention Buckets
• Managing Retention Buckets
Configuring Event Retention Buckets
By default, the Event Retention feature provides a default retention bucket and 10 unconfigured retention buckets. Until you configure an event retention bucket, all events are stored in the default retention bucket.
To configure an event retention bucket:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Event Retention icon.
The Event Retention window provides the following information for each retention bucket:
Table 5-11 Event Retention Window Parameters Parameter Description
Order Specifies the priority order of the retention buckets.
Name Specifies the name of the retention bucket.
Retention Specifies the retention period of the retention bucket.
Compression Specifies the compression policy of the retention bucket.
Deletion Policy Specifies the deletion policy of the retention bucket.
Filters Specifies the filters applied to the retention bucket. Move your mouse pointer over the Filters parameter. For more information on the applied filters.
Distribution Specifies the retention bucket usage as a percentage of total event retention in all your retention buckets.
Enabled Specifies whether the retention bucket is enabled (true) or disabled (false). The default setting is true.
Using Event Retention Buckets 79
The Event Retention toolbar provides the following functions:
Step 4 Double-click the first available retention bucket.
Step 5 Configure the following parameters:
Creation Date Specifies the date and time the retention bucket was created.
Modification Date Specifies the date and time the retention bucket was last modified.
Table 5-12 Event Retention Window Toolbar
Function Description
Edit Click Edit to edit a retention bucket. For more information on editing a retention bucket, see Editing a Retention Bucket.
Enable/Disable Click Enable/Disable to enable or disable a retention bucket.
For more information on enabling and disabling retention buckets, see Enabling and Disabling a Retention Bucket.
Delete Click Delete to delete a retention bucket. For more information on deleting retention buckets, see Deleting a Retention Bucket.
Table 5-11 Event Retention Window Parameters (continued) Parameter Description
Table 5-13 Retention Properties Window Parameters Parameter Description
Name Type a unique name for the retention bucket.
Keep data placed in this bucket for
From the list box, select a retention period. When the retention period is reached, events are deleted according to the Delete data in this bucket parameter. The default setting is 1 month.
The minimum is 1 day and the maximum is 2 years.
Allow data in this bucket to be compressed
Select the check box to enable data compression, and then select a time frame from the list box. When the time frame is reached, all events in the retention bucket are eligible to be compressed. This increases system performance by
guaranteeing that no data is compressed within the specified time period. Compression only occurs when used disk space reaches 83% for payloads and 85% for records.
The default setting is 1 week. The minimum is Never and the maximum is 2 weeks.
Step 6 Click Save.
Your event retention bucket configuration is saved.
Step 7 Click Save.
Your event retention bucket starts storing events that match the retention parameters immediately.
Delete data in this bucket
From the list box, select a deletion policy. Options include:
• When storage space is required - Select this option if you want events that match the Keep data placed in this bucket for parameter to remain in storage until the disk monitoring system detects that storage is required. If used disk space reaches 85% for records and 83% for payloads, data will be deleted. Deletion continues until the used disk space reaches 82% for records and 81% for payloads.
When storage is required, only events that match the Keep data placed in this bucket for parameter are deleted.
• Immediately after the retention period has expired - Select this option if you want events to be deleted immediately on matching the Keep data placed in this bucket for parameter.
The events are deleted at the next scheduled disk maintenance process, regardless of free disk space or compression requirements.
Description Type a description for the retention bucket. This field is optional.
Current Filters In the Current Filters pane, configure your filters.
To add a filter:
1 From the first list box, select an parameter you want to filter for. For example, Device, Source Port, or Event Name.
2 From the second list box, select the modifier you want to use for the filter. The list of modifiers depends on the attribute selected in the first list.
3 In the text field, type specific information related to your filter.
4 Click Add Filter.
The filters are displayed in the Current Filters text box. You can select a filter and click Remove Filter to remove a filter from the Current Filter text box.
Table 5-13 Retention Properties Window Parameters (continued) Parameter Description
Using Event Retention Buckets 81
Managing Retention Buckets
After you configure your retention buckets, you can manage the buckets using the Event Retention window.
This section includes the following topics:
• Managing Retention Bucket Sequence
• Editing a Retention Bucket
• Enabling and Disabling a Retention Bucket
• Deleting a Retention Bucket
Managing Retention Bucket Sequence
Retention buckets are sequenced in priority order. A record is stored in the first retention bucket that matches the record parameters. You can change the order of the retention buckets to ensure that events are being matched against the
retention buckets in the order that matches your requirements.
To manage the retention bucket sequence:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Event Retention icon.
Step 4 Select the retention bucket you want to move, and then click one of the following icons:
• Up - Click this icon to move the selected retention bucket up one row in priority sequence.
• Down - Click this icon to move the selected retention bucket down one row in priority sequence.
• Top - Click this icon to move the selected retention bucket to the top of the priority sequence.
• Bottom - Click this icon to move the selected retention bucket to the bottom of the priority sequence.
NOTE
You cannot move the default retention bucket. It always resides at the bottom of the list.
Editing a Retention Bucket
To edit a retention bucket:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Event Retention icon.
Step 5 Edit the parameters. For more information on event retention parameters, see Table 5-13.
NOTE
On the Retention Parameters window, the Current Filters pane does not display when editing a default retention bucket.
Step 6 Click Save.
Your changes are saved.
Enabling and Disabling a Retention Bucket
When you configure and save a retention bucket, it is enabled by default. You can tune your event retention by disabling a bucket.
When you disable a bucket, any new events that match the requirements for the disabled bucket are stored in the next bucket that matches the event properties.
To enable or disable a retention bucket:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Event Retention icon.
Step 4 Select the retention bucket you want to disable, and then click Enable/Disable.
The retention bucket is disabled. You can click Enable/Disable to enable the retention bucket again.
Deleting a Retention Bucket
When you delete a retention bucket, the events contained in the retention bucket are not removed from the system, only the criteria defining the bucket is deleted.
All events are maintained in storage.
To delete a retention bucket:
Step 1 Click the Admin tab.
Step 2 On the navigation menu, click Data Sources.
Step 3 Click the Event Retention icon.
Step 4 Select the retention bucket you want to delete, and then click Delete.
The retention bucket is deleted.