• Support
  • Forums
  • Blogs

Best practices for events SIEM


New Life Form
For best practices, I set the retention events SIEM on 90 days, what is the benefits?

Share post:


  • luis.morales,

    Although this is an area that will always lead to a different opinion, I will go out on a limb and say that if you are referring to SIEM DB Storage vs Raw Log Storage, it will not help much at all. There are two reasons:

    1 - A SIEM is a risk management device, requiring proactive (not reactive) management. since the SIEM Database is used for active correlation on USM/OSSIM, if an attack is running undetected or unaddressed for weeks at a time, your your window for proactively managing the risk found is most likely shattered, so to speak. At this point, you are probably looking more at your Raw Logs for forensic analysis.

    2 - The reason we use separate Raw Log storage on the USM is to prevent the DB from growing to an unmanageable size, causing significant performance issues. DB access on our system is exceptionally high, and DB latency due to backlog or table size is a significant concern. due to this, rotating DB event storage within a reasonable time period is critical to functonality.

    If we are referring to Raw Log Storage, the answer is much simpler. You need to balance log storage size against retention goals.

    I have included a link to the event storage best practices doc for review:

  • Thank you, you know how much about this.
Sign In or Register to comment.