SIEM & UEBA

Expand all | Collapse all

FortiSIEM - Manually deleting logs

  • 1.  FortiSIEM - Manually deleting logs

    Posted 20 days ago
    Hello,
    I have been looking for a way to manually delete logs in FortiSIEM but can not find one. Does any one know recommended way to do so?
    We have NFS as back end for one deployment and Hardware all in one for another FortiSIEM deployment, both separate. We would like to know what is the recommended way to delete certain logs from the backend once ingested. I understand we could use drop rules but what about deleting from the back end.

    Any help is much appreciated , thank you in advance.


  • 2.  RE: FortiSIEM - Manually deleting logs

    Posted 19 days ago
    Hi Alex,

    There are multiple ways to purge log data from FortiSIEM.

    To perform this within the GUI, simply go to Admin/Settings/Retention Policy

    From there, you can create policies to purge events by customer org.

    ------------------------------
    Ken
    ------------------------------



  • 3.  RE: FortiSIEM - Manually deleting logs

    Posted 19 days ago
    Hello Ken,

    Thank you for your reply. We use the retention policy for each SIEM tenant, but I was wondering if there is a recommended way to delete specific logs or event types from a device from a specific tenant on NFS or hardware FortiSIEM deployment after the fact. the minimum time for the retention policy is 5 days to wait for purging data sets, which if storage conscience may not be feasible. Lets say we added a device and misconfigured the recipient tenant ORG ID or collector, Or the scenario of running environment wide discoveries then deleting specific logs from the datastore and keeping the ones important to that Org/Tenant. I was hoping some one has ran into this before , if not will dig into the manual way ( grep, ack, sed ) to find those logs and see where that goes, cheers.