Objective
This document provides details on how EventLog Analyzer stores the collected event logs or data.
Prerequisites
Understanding of the duration of log management needed by the organization.
Understanding of the duration of logs searched by organization.
Access to EventLog Analyzer as an Administrator.
Steps to follow
EventLog Analyzer stores collected event logs in two different locations as two copies with its own customizable retention period.
Case 1: Live Logs
Case 2: Archives
Case 1: Live Logs
Live logs are the data which are available in the console. These data are stored in indexed format in Elasticsearch, which offers functionality to retrieve the desired information in the console in a click of a button. It also contains other processed information from the Threat engine, Correlation Engine, Alerts Engine, and Technician audit data.
More information is provided here:
Understanding Live logs:
a. Format:
Live logs are stored in two formats in Elasticsearch: Indexed format and zipped Indexed format.
Indexed Format: The duration of logs collected is less than 32 days old.
Zipped Indexed Format: The duration of logs collected is older than 32 days.
b. Type of logs stored:
- All the event logs that are collected and proceeded by the Parsing Engine.
- Processed Threat feeds and Dark Web monitoring data by the Threat Engine.
- Event logs that are flagged by Alerts Engine.
- Event logs that are flagged by Correlation Engine.
- Technician User Activities performed in the application.
c. Duration of data storage:
The duration of data storage is preset to a default value, which can be updated by navigating to Settings >> Admin Settings >> Retention Settings. The categories in the live retention are split as follows:
- Current Storage Size: Current Storage Size defines the number of days the collected raw logs will be retained in the database. The logs collected earlier than the configured value will be deleted. The default value is 32 days.
- Correlation Retention Period: Correlation Retention Period defines the number of days the formatted log data will be retained in the database. The logs formatted earlier than the configured value will be deleted. The default value is 90 days.
- Alert Retention Period: Alert retention period defines the number of days that the alerts will be retained in the database. The alerts raised earlier than the specified number of days will be deleted. The default retention period is 90 days.
- Audit Retention Period: Audit Retention Period defines the number of days that the Audit data for External APIs and technicians will be retained in the database. Audit data that is earlier than the configured value will be deleted. The default value is 90 days.
Configuring live log retention:
Navigate to Settings >> Admin Settings >> Retention Settings and set the value as per your organization's requirement.
Case 2: Archives
Understanding Archive logs:
Archives are the cold storage where the data will be stored in the file system as compressed (zipped files) and encrypted (optional) format. This storage is used for storing the data for a longer duration. Old EventLog Analyzer archives can be loaded to Elasticsearch from the Archives management page. Logs collected will be written as flat files in a Temp File Location and later zipped to Archive Zip Location.
a. Format:
All the archive files will be stored in .gz format which contains compressed and encrypted (optional) flat files.
Event logs can be stored either as raw logs or raw logs with parsed fields. Default value would be raw logs with parsed fields.
b. Type of logs stored:
All the event logs that are collected will be stored in the archives as Raw logs or Raw logs with parsed fields based on the log type selected in Archive settings.
c. Policy-based archiving:
EventLog Analyzer provides policy-based log archiving which features a Default Config archive policy which applied to the log sources. User can create custom policy using the + Create New Policy option available in the archive settings to create new policies for selective devices any number of times. When you configure multiple archive policies for the same log source, device-based archiving will work based on the priority of the policies configured. The policy that is on the top has the highest priority.
d. Duration of Data stored:
The default value of Archive during installation will be set as Forever, which means the archive will not be deleted until a manual intervention is done. User can customize the duration based on your requirement by modifying Retain Archive Logs For value using the templates, or choosing the Custom option to enter the desired retention value based on days, weeks, months, or years.
Configuring Archive Settings:
Navigate to Settings >> Admin Settings >> Archives and choose Settings from the top- right corner of the screen.
Customize the following as per the organization's requirements:
- Retain Archive Logs for: Set the desired log term duration that you would like to set for the device.
- Archive Zip Location: Set the location where you would like to store the Zipped archives. The options available will be to store them in the Local, Shared location, or S3 bucket.
- More Options >> Temp File Location: Set the location where you would like to allocate the flat file creation and zipping process.
- Note: You should retain the files in the directly attachable storage with specifications recommended in the System Requirements.
- Flat File Encryption: Used to Enable/Disable the Flat File Encryption option.
Multiple Policy Creation:
You can create archive policies to group the devices to have either a different log storage location or a different storage duration or both.
Example: In this image the DataCenter Policy is created specifically for the devices in data center. You can align a device, devices, or a device group while creating the policy with customized retention and storage location.
From the image above, the Datacenter Policy is configured for the data center device group, and the Default Config policy is configured for All devices. As the Datacenter Policy is listed first, it has a higher priority than the Default Config policy, which enforces the Datacenter device group to have the Datacenter Policy.
Tips
Set higher retention for Alerts, Correlation, and Technician audit in Retention settings as the preauditing and security requirement information will be available only in Elasticsearch.
Configure Live logs based on usability. Storage consumption can be minimized by minimizing the duration set for live logs.
Create multiple archive policies to store device logs based on auditing and security needs for flexible storage needs.
Use the System Resource Calculator to calculate the estimated storage size based on log flow and log storage retention requirement. It's recommended that you use a high performing disk with less OS load to store Live logs and archive temp files.