Deep Security Manager 10 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Log and event storage best practices
Best practices for log and event data storage depend upon the data compliance regulations you must meet, for example PCI and HIPAA. You also need to consider optimizing the use of your database. Storing too much data may affect database performance and size requirements.
The following symptoms may occur if you're storing too much data for your database: error messages that systems may be experiencing loss of database activity, an inability to import software updates, or just a general slow-down in Deep Security.
To avoid the above symptoms, follow the steps below:
-
Set system events storage to the compliance standard requirement.
-
Set up forwarding of system and module events to a syslog server or SIEM, see Forward events to an external Syslog or SIEM server. This will allow you to lower your retention time on the Storage tab, if necessary.
-
Set up thresholds in the log inspection module for event storage or event forwarding. Referred to as "severity pruning" in the Deep Security documentation, this allows you to send events to a syslog server (if enabled) or to store events based on the severity level of the log inspection rule. See Thresholds for Event Storage or Event Forwarding.
Default local storage settings are in the table below. To change these settings, go to Administration > System Settings > Storage. To delete software versions or older rule updates, go to Administration > Updates > Software > Local or Administration > Updates > Security > Rules.
| Data type settings | Data pruning default setting |
|---|---|
| Automatically delete Anti-Malware Events older than: | 7 days |
| Automatically delete Web Reputation Events older than: | 7 days |
| Automatically delete Firewall Events older than: | 7 days |
| Automatically delete Intrusion Prevention Events older than: | 7 days |
| Automatically delete Integrity Monitoring Events older than: | 7 days |
| Automatically delete Log Inspection Events older than: | 7 days |
| Automatically delete Application Control Events older than: | 7 days |
| Automatically delete System Events older than: | 53 weeks |
| Automatically delete Server Logs older than: | 7 days |
| Automatically delete Counters older than: | 13 weeks |
| Number of older Software Versions to keep per platform:*† | 5 versions |
| Number of older Rule Updates to keep:† | 10 rule updates |
* If you have multi-tenancy enabled, this setting will not be available.
† To delete Software Versions or Older Rule Updates, go to Administration > Updates > Software > Local or Administration > Updates > Security > Rules.
