Hello Ken,
Thank you for your reply. We use the retention policy for each SIEM tenant, but I was wondering if there is a recommended way to delete specific logs or event types from a device from a specific tenant on NFS or hardware FortiSIEM deployment after the fact. the minimum time for the retention policy is 5 days to wait for purging data sets, which if storage conscience may not be feasible. Lets say we added a device and misconfigured the recipient tenant ORG ID or collector, Or the scenario of running environment wide discoveries then deleting specific logs from the datastore and keeping the ones important to that Org/Tenant. I was hoping some one has ran into this before , if not will dig into the manual way ( grep, ack, sed ) to find those logs and see where that goes, cheers.-------------------------------------------
Original Message:
Sent: Apr 22, 2021 08:09 AM
From: Ken Mickeletto
Subject: FortiSIEM - Manually deleting logs
Hi Alex,
There are multiple ways to purge log data from FortiSIEM.
To perform this within the GUI, simply go to Admin/Settings/Retention Policy
From there, you can create policies to purge events by customer org.
------------------------------
Ken
------------------------------
Original Message:
Sent: Apr 21, 2021 10:05 AM
From: Alex D-C
Subject: FortiSIEM - Manually deleting logs
Hello,
I have been looking for a way to manually delete logs in FortiSIEM but can not find one. Does any one know recommended way to do so?
We have NFS as back end for one deployment and Hardware all in one for another FortiSIEM deployment, both separate. We would like to know what is the recommended way to delete certain logs from the backend once ingested. I understand we could use drop rules but what about deleting from the back end.
Any help is much appreciated , thank you in advance.