The settings under Administration > System Settings > Storage > Data Pruning define how long to store the following items before deleting them from the database:
- event logs
- counters ("Automatically delete counters older than" )
- Deep Security server logs ("Automatically delete server logs older than")
- older security updates ("Number of older software versions to keep per platform")
- other stored objects ("Number of older Rule Updates to keep")
This prevents the database from becoming too big, and optimizes performance.
For event log settings, decide how long to keep logs based on the robustness of the database system you are using, the amount of available storage space, and which events you need to log.
Some tips on event logging:
- On computers that are less important, modify the amount of logs collected. This can be done in the Events and Advanced Network Engine Settings areas on the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > Advanced tab.
- Consider reducing the event logging of firewall rule activity by disabling the event logging options in the firewall stateful configuration. (For example, if you disable UDP logging, it will eliminate unsolicited UDP log entries.)
- For intrusion prevention rules, the best practice is to log only dropped packets. If you log packet modifications, it may cause too many log entries.
- For intrusion prevention rules, only include packet data (an option in the intrusion prevention rule's Properties window) when you are interested in examining the behavior of a specific attack. Packet data increases log sizes, so it shouldn't be used for everything.