This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Retention Rules & Purge logs from Archiver

OmarGarciaGilio
Beginner
Beginner

‎2019-10-04 10:39 AM

Hello,

 

I need to filter logs to be storage on Archiver. I need to disscard any log from device ip 1.1.1.1 and any log from device type 'winevent_nic' and from the device type 'winevent_snare' just need to keep any log that start with 'security' word and finally keep all the rest of the logs.

So far I got this rules (in that order):

 

1 device.ip != 1.1.1.1
2 device.type != 'winevent_nic'
3 device.type = 'winevent_snare' && msg.id begins 'security'
default *

 

I wonder if that set of rules gonna work the way I want. Also I need to purge log, older than 3 years, from Archiver (from specific Ip device or device type).

0 Likes
1 REPLY 1

sravan.koneti
Respected Contributor Respected Contributor
Respected Contributor

‎2019-11-12 05:21 AM

Hi Omar Garcia Gilio‌,

The retention rules work as expected. Specific ip/device logs can't be rolled over. However, you can create retention rule with Specific ip/device.type to hold recent 3 years logs going forward.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.