The event data retention policies control the duration for which different types of event data are kept in the system before being deleted.
To create a data retention policy:
From Sentinel Main, click Storage > Events.
In the Data Retention section, click Create.
Use the following information to create the data retention policy.
Policy name: Specify a name for the retention policy.
The policy name must be unique and must contain alphanumeric characters.
Criteria: Specify the data retention policy criteria, or the filter value. Use the same syntax as searches.
Click the Build criteria icon to build a new criteria from available system objects containing criteria.
You can also use existing criteria by clicking the Select and append criteria icon.
Keep at least: Specify the minimum number of days to retain the events in the system. The value must be a valid positive integer.
Sentinel might retain the data for more number of days than this value (up to the Keep at most value, if specified) if disk space is available. This setting allows Sentinel to preferentially delete event data that is no longer needed when disk space must be freed.
Keep at most: (Optional) Specify the maximum number of days for which the events should be retained in the system. The value must be a valid positive integer and must be greater than or equal to the Keep at least value.
NOTE:For scalable storage, if you specify both Keep at least and Keep at most values, Sentinel considers only the Keep at most value for data retention.
Sentinel ensures that partitions that contain this kind of data will never be retained for longer than this value (assuming Sentinel is running and has access) for privacy or compliance reasons.
If no value is specified, Sentinel retains events of this type until the disk space usage policies remove them.
Click Save. The newly created policy is displayed in the data retention table.
The table also contains the following additional columns:
Size: Displays the amount of space used to store the events for each retention policy.
Events: Displays the number of events for the selected retention policy.
The policies are sorted in alphabetical order by policy name. The default retention policy is always shown as the last policy in the list.
By default, Sentinel retains the event associations data that is present in the exported associations (/var/opt/novell/sentinel/data/eventdata/exported_associations) directory for 14 days.
NOTE:Event associations data is available only in traditional storage.
However, you can change this retention period by performing the following steps:
Log in to the Sentinel server as the novell user.
Open the /etc/opt/novell/sentinel/config/configuration.properties file.
Add the following line in the file:
sentinel.exportedAssociations.retention.period=<retention period>
For example, if you want to set the Export Association files retention period to 90 days:
sentinel.exportedAssociations.retention.period=90
Save the modified configuration.properties file.
Restart Sentinel.