Log and event storage best practices
Does not apply to Deep Security as a Service
Best practices for log and event data storage depend upon the data compliance regulations you must meet, for example PCI and HIPAA. As well, you need to consider optimizing the use of your database. Storing too much data may affect database performance and size requirements.
Symptoms that you may be storing too much data for your database are the following: error messages that systems may be experiencing loss of database activity, an inability to import software updates, or just a general slow-down working in Deep Security.
Set system events storage to the compliance standard requirement.
Set up forwarding of system and module events to a syslog server or SIEM, see Forward events to an external Syslog or SIEM server. This will allow you to lower your retention time on the Storage tab, if necessary.
Set up thresholds in the log inspection module for event storage or event forwarding. Referred to as "severity pruning" in the Deep Security documentation, this allows you to send events to a syslog server (if enabled) or to store events based on the severity level of the log inspection rule. See Thresholds for Event Storage or Event Forwarding.
Deep Security Manager provides you with a default data retention setting of seven days for almost all events, with the exception of system events, which is set to "Never".
The table below shows defaults for storage. To view and update, go to Administration > System Settings > Storage.
|Data type||Data pruning default setting|
|Anti-malware events||7 days|
|Web reputation events||7 days|
|Firewall events||7 days|
|Intrusion prevention events||7 days|
|Integrity monitoring events||7 days|
|Log inspection events||7 days|
|Server logs||7 days|
|Software versions **||5 versions|
|Older rule updates **||10 rule updates|
**Note: To delete Software Versions or Older Rule Updates, go to Administration > Updates > Software > Local or Administration > Updates > Security > Rules.