|
It is not possible or recommended to directly delete events from /data however it can be achieved by setting up a retention policy using FortiSIEM GUI.
Before following the below, make sure no longer events are getting ingested for that organization.
If Organization is yet to be deleted:
1) Create a Retention Policy for the organization only for which events are to be deleted older than X Days.
2) After X days, verify no events are available for that organization under Analytics.
3) Delete the Organization using FortiSIEM GUI.
If Organization is already deleted:
1) If there already exists a retention policy common for all organizations to remove events older than X days, then no action is required as events for the deleted organization should get removed after X days.
2) If there exists no retention policy common for all organizations, then a default retention policy would be applicable for such events.
Refer the below documentation in order to find all (including default retention policy) about retention policy:
https://help.fortinet.com/fsiem/6-5-0/Online-Help/HTML5_Help/Database_Settings_Retention.htm (FortiSIEM 6.5.0)
https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/Database_Settings_Retention.htm (FortiSIEM 6.4.0)
|
