Log and event storage best practices

Best practices for log and event data storage depend upon the data compliance regulations you must meet, for example PCI and HIPAA. As well, you need to consider optimizing the use of your database. Storing too much data may affect database performance and size requirements.

Symptoms that you may be storing too much data for your database are the following: error messages that systems may be experiencing loss of database activity, an inability to import software updates, or just a general slow-down working in Deep Security.

  1. Set system events storage to the compliance standard requirement.

  2. Set up forwarding of system and module events to a syslog server or SIEM, see Forward events to an external Syslog or SIEM server. This will allow you to lower your retention time on the Storage tab, if necessary.

  3. Set up thresholds in the log inspection module for event storage or event forwarding. Referred to as "severity pruning" in the Deep Security documentation, this allows you to send events to a syslog server (if enabled) or to store events based on the severity level of the log inspection rule. See Thresholds for Event Storage or Event Forwarding.

Deep Security Manager provides you with a default data retention setting of seven days for almost all events, with the exception of system events, which is set to "Never".

The table below shows defaults for storage. To view and update, go to Administration > System Settings > Storage.

Data type Data pruning default setting
Anti-malware events 7 days
Web reputation events 7 days
Firewall events 7 days
Intrusion prevention events 7 days
Integrity monitoring events 7 days
Log inspection events 7 days
Application control events 7 days
System events Never
Server logs 7 days
Counters 13 weeks
Software versions ** 5 versions
Older rule updates ** 10 rule updates

**Note: To delete Software Versions or Older Rule Updates, go to Administration > Updates > Software > Local or Administration > Updates > Security > Rules.