Administration Guides

Data Retention of Audit Data and Archive

Home


Overview

Two types of retention are supported, online and long term archive.  

  1. Online means audit data that is searchable in the index. Operational requests for auditing typically do not exceed 30 days but we support up-to 18 months online searchable depending on the audit rate.  This is for optimal performance and maintaining a manageable database size.  Contact support to get automatic data retention applied to the database.  Typical values are 6 months or 1 year online searchable.
  2. Database is the secondary version of audit data and for all long term retention requirements raw audit in GZ format should always be stored for long term retention as the data is shareable in a format needed for auditors and is compatible with OneFS tools.  The database is not in a format that auditors can use in a sharable format.
  3. Database management tasks and size of DB require online searching to prune data older than 18 months maximum.
  4. The ECA VM deployment is designed for online search and VM count may need to be increased to manage a large database up to 18 months of data or longer.
  5. NOTE:  Longer than 18 months can be requested through a support case, the more data stored online will require addition VM's and memory added to each VM to manage the larger database index needed for searching.
  6. Long term storage of audit data
    1. PowerScale audit data must be purged as the raw audit data is stored on the PowerScale in GZ format and is never deleted.  For long term storage of audit data depending on business need this format should be stored in an archive location in GZ format.  We recommend purging these GZ files twice per year.  See EMC SR requirement and steps documented here.
    2. NOTE: Preserve the folder hierarchy of the audit data with nodes and created and modified date stamps when archiving this data.  The only method to ingest GZ data is based on the data stamp of the GZ files that determines the date range covered by the GZ files for ingestion.
    3. The GZ files impact ingestion audit performance if 1000's of files are left on PowerScale and the purge process allows them to be removed and archived at the same time.  This is the other requirement to remove old GZ data to reduce NFS audit data bandwidth ingestion.

Actions

  1. Open a support case to get the database retention set to 6m , 1 year or 18 months or longer (additional VM's will be required to be supported)
  2. Review PowerScale GZ purge procedure
  3. Identify long term archive location for GZ audit data
© Superna Inc