FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Article Id 244058

This article describes how Retention Policies work.

Scope Storage.

When the Online database becomes full, then events must be deleted to make room for new events. This can be Space-based or Policy-based.


1) Policy-Based Retention:

If the Online retention policy is created today for 90 days, then the policy will move the data from online storage to archive storage, on the 91st day from the day of creating the policy.


So, if a new retention policy is created today, 91 days after today, the logs from today will be moved to the archive. Any older logs of today, are left untouched and will be de-moved to archive storage (if it is configured) or will be purged (if no archive storage is configured) based on the Space-Based policy and will be subjected to FIFO.

To enforce the Policy-Based Retention for old data, use of the script EnforceRetentionPolicy.

A date is specified as the number of days since the UNIX epoch, 1970-01-01.

Example: EnforceRetentionPolicy 16230,16233-16235.
Enforce retention policies in eventDB on 6/8/2014 and from 6/11/2014 to 6/13/2014.


Note 1: The script should be run from the admin user. So, 'su admin' before running the script.

Note 2: Also, the script depends on the data size which is enforced. First run the script for one day and gradually increase the range.

It is not recommended to use the script only for few GBs of data.

To enforce the retention policies for a big amount of data (many days), use the script many times for a few days each time.


- Archive Retention Policies cannot be fewer days than Online ones.

In this example, data will be on Online storage for 5 days.

On 6th day, data will be moved to Archive storage and they will remain there for 10 days.

So, the data will be saved in total for 15 days as defined on Archive Retention Policy: 5 days on Online storage and 10 on archive one:




2) Space based retention:

Space-based retention is based on two thresholds defined in the /opt/phoenix/config/phoenix_config.txt file on the Supervisor node.

- For online data:


[BEGIN phDataPurger]

- Online_low_space_action_threshold_GB (default 10GB).
- Online_low_space_warning_threshold_GB (default 20GB).


- For archive data:

[BEGIN phDataPurger]


- When Online disk space reaches the low threshold (online_low_space_action_threshold_GB) value, then events are archived (if the archive directory is set) or purged.

This operation continues until the Online disk space reaches the online_low_space_warning_threshold_GB value. This check is done hourly.


It is possible to change these parameters to suit the environment and they will be preserved after the upgrade. To change these values, then change them on the Supervisor CLI and restart phDataManager and phDataPurger processes:

killall -9 phDataManager
killall -9 phDataPurger


For more information, refer to the FortiSiem documentation:
Retention Database Documentation