FortiSIEM - Manually deleting logs

AlexDC · ‎04-21-2021

Hello,
I have been looking for a way to manually delete logs in FortiSIEM but can not find one. Does any one know recommended way to do so?
We have NFS as back end for one deployment and Hardware all in one for another FortiSIEM deployment, both separate. We would like to know what is the recommended way to delete certain logs from the backend once ingested. I understand we could use drop rules but what about deleting from the back end.

Any help is much appreciated , thank you in advance.

KenMick · ‎04-22-2021

Hi Alex,

There are multiple ways to purge log data from FortiSIEM.

To perform this within the GUI, simply go to Admin/Settings/Retention Policy

From there, you can create policies to purge events by customer org.

------------------------------
Ken
------------------------------

[FirstName]
[JobTitle]

AlexDC · ‎04-22-2021

Hello Ken,

Thank you for your reply. We use the retention policy for each SIEM tenant, but I was wondering if there is a recommended way to delete specific logs or event types from a device from a specific tenant on NFS or hardware FortiSIEM deployment after the fact. the minimum time for the retention policy is 5 days to wait for purging data sets, which if storage conscience may not be feasible. Lets say we added a device and misconfigured the recipient tenant ORG ID or collector, Or the scenario of running environment wide discoveries then deleting specific logs from the datastore and keeping the ones important to that Org/Tenant. I was hoping some one has ran into this before , if not will dig into the manual way ( grep, ack, sed ) to find those logs and see where that goes, cheers.