In an audit data cleanup policy, you can specify the period after which the zat file and the metadata is deleted. You can also provide a lucene-like query, with which you can specify which sessions you want to delete. For example, using the query, you can create a filter for a specific protocol.

To add a new audit data cleanup policy

  1. Navigate to Policies > Audit Data Cleanup Policies.

  2. Select Add policy.

    Figure 142: Policies > Audit Data Cleanup Policies — Configuring an audit data cleanup policy

  3. In Policy name, specify a unique name for the audit data cleanup policy.

  4. In the Audit data older than field, enter how long (in days) SPS must keep the zat file and the metadata. For example, if you specify 365, SPS deletes the audit data of connections older than a year.

    The accepted value range is 30-100,000 days.

    NOTE: The database cleanup occurs once a day at 22:01 PM.

    NOTE: Since the database cleanup happens once a day at 22:01 PM, if you specify the same retention time for an archive policy, for example, 90 days in the Audit data retention period field, ensure that the archiving is set to start before 22:01 PM.

  5. In Audit data query, which is a lucene-like query, specify to which audit data the cleanup policy applies.

    To fill this query, specify, for example, a field and the related term. Optionally, you may add a boolean operator and specify another field and related term. For example, to specify the audit data of the SSH protocol and the ssh-connection-policy connection policy to be cleaned up, in Audit data query, type protocol:SSH AND recording.connection_policy:ssh-connection-policy

  6. To save your changes, click Add policy.

  7. Optionally, repeat the steps to create new audit data cleanup policies for other protocols and connections.

Expected outcome

Every day, SPS deletes the zat file and the metadata of connections that are older than the given cleanup time from the connection database.

Preview the effect of the cleanup policy

The preview chart of a cleanup policy predicts how the respective cleanup policy will affect your audit data.

Preview charts are available in the following places:

  • Audit Data Cleanup Policies page.

    You can preview one or more cleanup policies at the same time in one chart.

  • Add new audit data cleanup policy and the Edit cleanup policy side sheets.

    You can preview the actual policy that you are creating or editing.

  • By clicking the chart icons in the policy lists.

    You can preview the respective policy.

Reading the charts

  • The charts display data in monthly increments.

  • The vertical line or lines represent the end of the data retention period for the respective policy or policies.

  • To the right of the vertical line, you can see the sessions which are not scheduled for deletion yet.

  • To the left of the vertical line, you can see those sessions which are to be deleted by the next cleanup event.

  • Sessions matching this query (green) represents the sessions which are affected by the respective cleanup policy.

  • Sessions not included in this cleanup policy (blue) represents the sessions which are not affected by the respective cleanup policy.