Technical Note: For how long is data retained in FortiInsight

By default the data retention periods are: 

• 7 days for live user events – these are all events minus system events (see below)

• 1 month for compacted user events – after the “live” threshold user events are compacted to optimise the back-end storage. Compacted data is searchable and search results can be uncompacted back to Live to gain full access to corresponding event information.

 Note that any alerts, generated when an event matches a configured policy, are kept indefinitely.