Technical Tip: Ability to change event database purge/archive thresholds
Description
This article describes how to take advantage of purge/archive thresholds level to suit the operation requirement.
By default FortiSIEM starts to purge (or archive if archive is set) when the free space in event database falls below 10GB. This continues until free event database space reaches 20GB. In very high event rate situations, this 10GB buffer may not suffice and database may become full.
Starts from v4.7 release allows the values to be customized by the user. In phoenix_config.txt, under the phDataPurger section, modify the low_space_action_threshold and low_space_warning_threshold values and restart the phDataPurger module.
Note:
This needs to be done at Supervisor and Worker nodes.
Scope
Phoenix configuration
Solution
- low_space_action_threshold: (default 10GB): when free space in event database, falls below this value, an action is taken - purge or archive.
This continues until free space in event database grows to be more than low_space_warning_threshold
- low_space_warning_threshold: (default 20GB): when free space in event database, falls below this value, a warning is generated.
This article describes how to take advantage of purge/archive thresholds level to suit the operation requirement.
By default FortiSIEM starts to purge (or archive if archive is set) when the free space in event database falls below 10GB. This continues until free event database space reaches 20GB. In very high event rate situations, this 10GB buffer may not suffice and database may become full.
Starts from v4.7 release allows the values to be customized by the user. In phoenix_config.txt, under the phDataPurger section, modify the low_space_action_threshold and low_space_warning_threshold values and restart the phDataPurger module.
Note:
This needs to be done at Supervisor and Worker nodes.
Scope
Phoenix configuration
Solution
- low_space_action_threshold: (default 10GB): when free space in event database, falls below this value, an action is taken - purge or archive.
This continues until free space in event database grows to be more than low_space_warning_threshold
- low_space_warning_threshold: (default 20GB): when free space in event database, falls below this value, a warning is generated.
[BEGIN phDataPurger]
...
low_space_action_threshold=10
low_space_warning_threshold=20
...
[END]
To restart phDataPurger module:
# killall -9 phDataPurger