Retention Policy

Hi ​@OsamaFattoh,

in my understanding, the arrangement in hot/warm/cold tiers in ClickHouse is based on free space purely. The retention policies immediately purge “old” events (regardless in which tier they are) from all the online nodes. Only the Archive storage (if configured) remains untouched from these policies.

See also: https://docs.fortinet.com/document/fortisiem/7.5.0/user-guide/997299/creating-retention-policy

So, for your case, the events just get deleted after 30 days, and the warm tier probably stays empty.

Best,

Christian

Hi,
As far as I see, Time Based retention doesn’t come in to play for me just like your question. (I have Hot and Warm disk in my environment, all others are hot only)
I defined 6 months retention for DNS logs but I’m able to find DNS logs a year ago as well 

Secondly,
you can play with configs. However Fortinet wouldn’t support neither recommend it officially. So, be careful out there
you may check out below topic
 

Ceyhun Kivanc

Hi,
I've been administering FortiSIEM for about 6 months now.
Based on this thread:

I have a case of ClickHouse at 80–90% on a worker node that has Hot and Warm tiers, with no Archive.
From what I understand, FortiSIEM retention works in two ways:

1) Policy-based retention
If you set a policy to 90 days, the data follows that policy — but it only applies to data ingested after the date you created the policy. 

For example, if you just created a retention policy today, 1 January 2026, then about 90+ days from now the data from 1 January will be purged.

(However, the policy you create will not affect older data ingested before the policy creation date — i.e., data ingested before 1 January will still remain in your SIEM.)

(If you want to clear out that older data, you need to use FortiSIEM's CLI script EnforceRetentionPolicy, as referenced in the thread above — or alternatively, wait for that data to be handled by mechanism #2 below.)

2) Space-based retention — from the Fortinet docs 

Creating Retention Policy | FortiSIEM 7.5.0 | Fortinet Document Library

When disk free space drops to 10%, the system frees up space until 20% is available. If a Warm or Cold tier exists, data is moved there instead of being deleted. The order is: Hot > Warm > Cold > Archive.

So here's my summary based on your question:

- Data moves from Hot to Warm only when Hot has ~10% free space left.
- Warm clear up space to 20% when Warm hits 10% free. If you have an Archive, data is moved to Archive; if not, the oldest data is purged until 20% is free.
- I'd also like to separate the 30-day retention policy from step above, because my understanding is that within this whole process, if data reaches 30 days at any point, it gets purged right at that point. For example, if your Hot tier can still hold another 30 days' worth of logs, those logs will be handled (purged) right there in Hot — they won't move to the Warm tier at all.