This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Data Retention Scheduler best practices

RichardB
Frequent Contributor
Frequent Contributor

‎2019-12-09 10:08 AM

What are the best practices when using the Data Retention Scheduler for NW Packet decoders/concentrators? We typically set the retention to 30 to 90 days. The default for "Run" is every 15 minutes which seems quite low/often in our case.

 

The documentation at https://community.rsa.com/docs/DOC-80855 does not explain the impact of choosing Interval or Date & Time. Is there a difference in performance? When set to 15 minutes, I imaging the process runs every 15 minutes and removes 15 minutes of old data every time. When set to Weekends the process will run once (twice really) a week but will remove 7 days of old data. Is one of these strategies preferred over the other?

0 Likes
3 REPLIES 3

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2019-12-09 10:25 AM

For most customers we generally don't even configure it, as they want to keep as much data as possible with available storage, and the data will roll off the storage as it nears capacity (~95% used)

 

However there are specific situations where it is useful, especially where there are legal limitations on how long you can keep data.  

 

If you are required by law to only keep active data for no more than 14 days, then you need to schedule at least a daily roll-off of the data, but may need to be more specific and run it every 15 minutes to make sure you are not violating any data privacy laws.

 

If you are not using it for legal matters, but to keep your data "aligned" on all devices so they have the same retention length, then it's purely up to you as to when and how often you run it, the timeroll process does not cause any real detriment to the operation of the system and if there are no "full files" to delete, does nothing.

0 Likes

KevinArunski
Contributor
Contributor

‎2019-12-09 01:54 PM

There are no strict best practices around how often the scheduler when doing time-based retention policies.   It's designed to accommodate the retention policies the customer needs to implement, rather than being a portion of the product that requires performance tuning.
There's no need for concern around checking for rollover every 15 minutes.  The Netwitness services are designed to roll-out files more often than that.  Furthermore, there's no need to wait for the weekends before checking the time retention, unless of course that is the policy your organization wishes to implement.
There is no meaningful performance difference between choosing an interval or date/time.
0 Likes

RichardB
Frequent Contributor
Frequent Contributor

‎2019-12-10 02:57 AM

Thanks for clarifying this! Yes, we do need to explicitly set the retention due to GDPR. I'll leave the rollover to 15 minutes.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.