Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Deployment and Admin Guide

    Home FortiSIEM Cloud Deployment and Admin Guide

    FortiSIEM Cloud Event Retention

    FortiSIEM Cloud Event Retention

    How FortiSIEM Cloud Event Retention Works

    For FortiSIEM Cloud, the Online and Archive storage is managed together.

    • Space based retention: If free Online storage utilization is less than 10%, then oldest events are moved to the Archive until free Online storage utilization is more than 20%. When FortiSIEM Cloud removes event data, FortiSIEM goes through each retention policy (90 days, 180 days, ...) and within each policy, FortiSIEM removes the oldest data.

    • Time based retention: You can use Online event retention policies to specify the duration for which certain events need to be retained. The policies can take event attributes such as Organization, reporting Device and Event Type as input. See Creating FortiSIEM Cloud Event Retention Policy. During the retention period, the events can be in Online or Archive storage depending on the space based retention, e.g. if Online storage becomes full then the event may move to Archive storage. After retention period expires, events that meet the policy will be purged from Online and Archive storage.

    For further information about Retention Policies, see Explanation of Retention Policies in Detail.

    Explanation of Retention Policies in Detail

    Retention policies are set to denote data lifetime, regardless of whether the data is in Online or Archive storage at the time of evaluation; these policies are not used to maintain a balance between Online storage and Archive storage.

    The move of data from Online to Archive storage is performed on a per-retention day "fair usage" configuration. When Online storage has 10% or less storage available, FortiSIEM will begin to archive or purge the data if no Archive storage is available. The fair usage policy will move 1 day of data in Online storage from each retention policy to Archive storage if available. This process continues to iterate through each retention policy until the pre-defined safety threshold is met (20% free Online storage) and ALL policies are evaluated in a particular round.

    This means that each retention policy (Forever, 3 months (90 days), 6 months, etc.) is considered and given equal priority when moving data to Archive storage.

    As an example, lets examine a scenario of 2 policies being set up, one Forever, and the other 3 Months. When the Online storage thresholds are met, the archival process is triggered. The process will take the oldest data, residing in each policy in a balanced fashion and move this to Archive storage.

    If FortiSIEM was deployed in January and then subsequently a 3 Months retention policy was defined on the 1st of August, and your online threshold is met on the 1st of September, FortiSIEM will move the oldest data from the Forever policy (prior to August 1) as well as data from the 3 Months retention policy which may be newer data. This process continues to iterate through each retention policy until the pre-defined safety threshold is met (20% free Online storage), and all policies are evaluated in each round.

    FortiSIEM Cloud performs daily checks on your Archive storage usage, and once usage is 100%, then the oldest events, regardless of retention policy, will be purged from Archive storage.

    FortiSIEM Cloud, when used without Archive storage, will purge the oldest events based on the retention policy definition. When multiple retention policies are configured, FortiSIEM will use the "fair usage" approach and move a 1 day of events at a time from all retention policies until Online storage has 20% free disk space.

    Creating FortiSIEM Cloud Event Retention Policy

    Online event retention policies specify which events are retained, and for how long, in the online event database. Take the following steps to create an Online Event retention policy for FortiSIEM Cloud.

    1. Navigate to ADMIN > Settings > Database > Retention Policy.

    2. Under Online Retention Policy, click New.

    3. Check the Enabled checkbox if the policy has to be enforced immediately.

    4. From the Organizations drop-down list, choose the organizations that the policy must be applied to (for service provider installations). Check the All checkbox if the policy should apply to all organizations.

    5. For Reporting Device, click the edit icon to choose the reporting devices to apply this policy to, and click Save when done.

    6. For Event Type, click the edit icon to choose the event type or event type groups to apply this policy to, and click Save when done.

    7. Select the Retention Period from the drop-down list (3 Months, 6 Months, 1 Year, 3 Years, 5 Years, 10 Years, Forever (50 Years). Each month is 30 days.

    8. Enter any Description related to the policy.

    9. Click Save.

    10. When done, confirm that the policy is selected, and click Apply.

    Previous
    Next

    FortiSIEM Cloud Event Retention

    FortiSIEM Cloud Event Retention

    How FortiSIEM Cloud Event Retention Works

    For FortiSIEM Cloud, the Online and Archive storage is managed together.

    • Space based retention: If free Online storage utilization is less than 10%, then oldest events are moved to the Archive until free Online storage utilization is more than 20%. When FortiSIEM Cloud removes event data, FortiSIEM goes through each retention policy (90 days, 180 days, ...) and within each policy, FortiSIEM removes the oldest data.

    • Time based retention: You can use Online event retention policies to specify the duration for which certain events need to be retained. The policies can take event attributes such as Organization, reporting Device and Event Type as input. See Creating FortiSIEM Cloud Event Retention Policy. During the retention period, the events can be in Online or Archive storage depending on the space based retention, e.g. if Online storage becomes full then the event may move to Archive storage. After retention period expires, events that meet the policy will be purged from Online and Archive storage.

    For further information about Retention Policies, see Explanation of Retention Policies in Detail.

    Explanation of Retention Policies in Detail

    Retention policies are set to denote data lifetime, regardless of whether the data is in Online or Archive storage at the time of evaluation; these policies are not used to maintain a balance between Online storage and Archive storage.

    The move of data from Online to Archive storage is performed on a per-retention day "fair usage" configuration. When Online storage has 10% or less storage available, FortiSIEM will begin to archive or purge the data if no Archive storage is available. The fair usage policy will move 1 day of data in Online storage from each retention policy to Archive storage if available. This process continues to iterate through each retention policy until the pre-defined safety threshold is met (20% free Online storage) and ALL policies are evaluated in a particular round.

    This means that each retention policy (Forever, 3 months (90 days), 6 months, etc.) is considered and given equal priority when moving data to Archive storage.

    As an example, lets examine a scenario of 2 policies being set up, one Forever, and the other 3 Months. When the Online storage thresholds are met, the archival process is triggered. The process will take the oldest data, residing in each policy in a balanced fashion and move this to Archive storage.

    If FortiSIEM was deployed in January and then subsequently a 3 Months retention policy was defined on the 1st of August, and your online threshold is met on the 1st of September, FortiSIEM will move the oldest data from the Forever policy (prior to August 1) as well as data from the 3 Months retention policy which may be newer data. This process continues to iterate through each retention policy until the pre-defined safety threshold is met (20% free Online storage), and all policies are evaluated in each round.

    FortiSIEM Cloud performs daily checks on your Archive storage usage, and once usage is 100%, then the oldest events, regardless of retention policy, will be purged from Archive storage.

    FortiSIEM Cloud, when used without Archive storage, will purge the oldest events based on the retention policy definition. When multiple retention policies are configured, FortiSIEM will use the "fair usage" approach and move a 1 day of events at a time from all retention policies until Online storage has 20% free disk space.

    Creating FortiSIEM Cloud Event Retention Policy

    Online event retention policies specify which events are retained, and for how long, in the online event database. Take the following steps to create an Online Event retention policy for FortiSIEM Cloud.

    1. Navigate to ADMIN > Settings > Database > Retention Policy.

    2. Under Online Retention Policy, click New.

    3. Check the Enabled checkbox if the policy has to be enforced immediately.

    4. From the Organizations drop-down list, choose the organizations that the policy must be applied to (for service provider installations). Check the All checkbox if the policy should apply to all organizations.

    5. For Reporting Device, click the edit icon to choose the reporting devices to apply this policy to, and click Save when done.

    6. For Event Type, click the edit icon to choose the event type or event type groups to apply this policy to, and click Save when done.

    7. Select the Retention Period from the drop-down list (3 Months, 6 Months, 1 Year, 3 Years, 5 Years, 10 Years, Forever (50 Years). Each month is 30 days.

    8. Enter any Description related to the policy.

    9. Click Save.

    10. When done, confirm that the policy is selected, and click Apply.

    Previous
    Next