Retention Policies

The Retention Policies tab manages how long data remains in the NETALERT database, enabling administrators to set, update, or modify the retention policies as needed.

Below is an example configuration illustrating how retention policies can be applied to different data categories. In this setup, any alerts, PCAP files, and traffic logs older than 30 days are automatically removed, while inactive devices are cleaned up after 7 days. This approach helps maintain an optimized database, ensuring that only relevant and recent information remains accessible.

Alt Image

AlertsCleanup - Specifies the number of days alerts remain in the database. Any alerts older than 30 days are automatically removed.
AlertsReplicasCount - Specifies how many replica copies of the alert data indices are maintained, ensuring data redundancy and high availability.
AlertsShardsCount - Determines how many primary shards are allocated for storing alert data, affecting query performance and data distribution.
DeviceActiveTTL - Indicates how long an inactive device record remains in the system. If a device has not been active for 7 days, it is removed or marked for cleanup.
PcapCleanup - Sets the retention period for PCAP files. Data older than 30 days is automatically deleted to free up storage.
PcapReplicasCount - Determines how many replica copies are maintained for PCAP indices, enhancing overall data resilience.
PcapShardsCount - Defines the number of primary shards for storing PCAP data, influencing how the system balances storage and query loads.
TrafficCleanup - Establishes the duration for retaining raw traffic data. After 30 days, outdated records are purged from the database.
TrafficReplicasCount - Indicates the number of replica copies for traffic data indices, providing redundancy and ensuring data resilience.
TrafficShardsCount - Sets the number of primary shards allocated to traffic data, improving performance by distributing the data across multiple shards.

Go back to the Administration index.