Enterprise SIEM, Centralized Log Management, Security, Compliance, Server Monitoring and Uptime Monitoring Software
Table of Contents

Log Entry Retention Policy Template

The Log Entry Retention Policy Template enables you to remove old log entries no longer required for either reporting or compliance so disk space can be freed and table size maintained over time for faster reporting.

Background:

When storing log entries for long periods of time, such as one year, log entry tables will become quite large. Running daily reports, such as Account Management Reports, require table scans to isolate the target log entries. If we were to store each log in a single table for the entire year, daily reports would be unnecessarily table scanning irrelevant data burning CPU, memory, power and time. For this reason, Corner Bowl saves log entries to two tables is separate databases. This design has two advantages. First, daily reports only need to execute table scans against recent data, and second, archive databases can be implemented on alternate hardware, with different specifications, while simultaneously isolating CPU intense archive reporting from production systems. Corner Bowl Server Manager implements these two databases in the Explorer View under Data Providers. By default, the databases are called the Primary Log Database and the Archive Log Database respectively.

How it works:

The Log Entry Retention Policy is responsible for removing log entries from the Primary Log Database and saving them to the Archive Log Database. Once the entries are older than the maximum configured time, for example 365 days, the Log Entry Retention Policy deletes the entries from the database. Entries are deleted in batches of one hour minimizing the size of transaction tables and memory consumption.

How to configure the Log Entry Retention Policy Template:

  • From the Menu Bar, select File | New. The Create New Object View displays.
  • From the Create New Object View, expand Templates | Log Management then select Log Entry Retention Policy. The New Template Properties View displays.
  • The Template Properties view contains 3 tabs.

The Options Tab

  • Use the Log entry retention filter drop-down to optionally select a filter to target specific entries.
    You can assign multiple Log Entry Retention Policy Templates to Log Consolidation Templates enabling you to remove specific data from the log database at any time.
  • Use the Log entry retention policy drop-down to select to either Remove or Archive log entries then select the number of days to maintain in the log database.
  • If you choose to Archive log entries, use the Retain archived entries for check box to enable the removal of old archived entries. Lastly, set the number of days to maintain in the archive log database.
    When archiving log entries the total number of days saved it the sum of the number of days in the primary log database plus the number of days in the archive log database. For example, if you archive entries older than 30 days and retain archived entries for 150 days the total number of days retained is actually 180 days.

Host Assignment

Unlike all the other templates in Server Manager, the Log Entry Retention Policy Template is referenced by other Log Consolidation Templates and therefore does not require host assignment. This template is automatically assigned to any host that that has a referencing Log Consolidation Template assigned.

Related Topics

Data Providers

Log Management Templates