Sentinel provides multiple options to route, store, and extract the data collected. By default, Sentinel receives two separate but related data streams from the Collector Managers: the parsed event data and the raw data. The raw data is immediately stored in protected partitions to provide a secure evidence chain. The parsed event data is routed according to rules you define and can be filtered out, sent to storage, sent to the real-time analytics, and routed to external systems. All event data sent to storage is further matched to user-defined retention policies that determine the partition the data is placed in, and also define the grooming policy under which the event data is retained and then eventually deleted.
Sentinel's data storage is based on a three-tier structure:
Online storage
Primary or local storage: Optimized for quick writes and fast retrieval. The most recently-collected event data (and the most frequently searched) is stored here.
Secondary or network storage: Optimized to reduce space usage while still supporting fast retrieval. Sentinel automatically migrates data partitions to secondary storage.
NOTE: Using a secondary storage is optional. Data retention policies, searches, and reports operate on event data partitions regardless of whether they are actually residing on primary or secondary storage or both.
Offline storage or archival storage:
Once partitions are closed, you can back up the closed partitions to an offline storage such as cheap mass storage, Amazon Glacier, and so on. If necessary, you can temporarily re-import offline partitions for long-term forensic analysis.
You can also configure Sentinel to extract the event data and event data summaries to an external database by using data synchronization policies. For more information, see Configuring Data Storage
in the NetIQ Sentinel 7.1 Administration Guide.