Staff

Technical Tip: How to verify configured retention versus actual retention in FortiSIEM

Forum|Forum|3 months ago
February 25, 2026
0 replies
166 views

Description

This article describes how to verify whether the configured retention period matches the actual retention of events stored in FortiSIEM with the following instructions:

How to check the configured retention period.
How to calculate the actual retention period in database.
How to compare the difference between the configured and actual retention.

In some cases, event data may be deleted earlier than expected due to storage thresholds or disk space limitations.

Scope

FortiSIEM 7.x and above using ClickHouse database.

Solution

Check the configured retention in FortiSIEM GUI. Follow the steps below:
- Login to the FortiSIEM GUI.
- Navigate to ADMIN -> Settings -> Storage.
- Check the following parameter:
  - Event Retention (Days)
  - For example:
    - Event Retention: 30 Days.
    - This indicates FortiSIEM is configured to retain events for 30 days.
Check actual retention in the ClickHouse database.

Log in to the ClickHouse Data Node via SSH:

ssh root@<DataNode-IP>

Run the following query:

clickhouse-client -q "select min(min_time) as oldest_event_time, max(max_time) as latest_event_time from default.events_replicated;"

Example output:

oldest_event_time latest_event_time
2024-01-10 00:00:01 2024-02-10 12:00:00

Interpretation:

Calculate actual retention: Actual retention = Latest event time - Oldest event time.

For example:

Latest event: Feb 10.
Oldest event: Jan 10.
Actual retention = 30 days.

This matches the configured retention.

To see detailed partition-level retention:

clickhouse-client -q "select partition,min_time,max_time from system.parts where table='events_replicated' order by min_time asc;"

The first entry shows the oldest available data.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded