Configuring RiskVision local storage settings

52034 | System Management | TRITON RiskVision | 24-Sep-2015

Use the System > Local Storage tab to configure how long incident and session data is stored on the RiskVision appliance, and to enable or disable pcap file storage.

Data Retention

You can customize the factors that determine how long incident and session data is stored, and what happens when the database reaches its configured limits.

Use the Incident Storage box to configure:

The maximum number of threat or data loss incident records to store in the database (default 400,000)

Click the existing number next to the word maximum.

Enter a new number in the Maximum Records Allowed dialog box.

Click OK.

Whether database cleanup occurs automatically

To do this, mark or clear the Enable database cleanup check box.

Note that if you disable database cleanup, when the database is full, new records will be discarded. Database cleanup deletes the oldest records to make room for new records.

How long to keep incident records (default 30 days)

Click the number of days next to Delete records older than.

Enter a new number (whole number between 1 and 356) in the field.

Click OK.

If the maximum number of incident records is reached before the oldest records reach the obsolescence period that you select, and database cleanup is enabled, the oldest records will still be deleted to make room for newer records.

Likewise, even if the database is not full, records older than the period specified will be deleted by the cleanup job.

Use the Session Storage box to configure:

The maximum number of sessions to store in the database (default 2,000,000)

Session data is stored only when the Log all sessions option is enabled on the Diagnostics page. Session logging is generally enabled only for troubleshooting, and disabled when the troubleshooting process is complete.

Whether database cleanup occurs automatically

Because session data is typically used for troubleshooting, it is a best practice to allow the automated database cleanup process to remove data that is no longer needed.

How long to keep session data (default 3 days)

If you have enabled database cleanup for incident storage, session storage, or both, also set a time to have a database job Perform database cleanup daily (23:30, by default).

Pcap retention

Use the Incident Pcap Retention box to configure:

Whether to store pcap files for threat and data loss incidents in your network

To give you as much data as possible about malicious and suspicious incidents that occur in your network, pcap retention is enabled by default.

The maximum amount of disk space to use for pcap file storage (default 60 GB)

Whether to delete the oldest files (default) or stop storing new files when the storage size reaches 90% of maximum capacity

Even with pcap retention enabled, pcap files cannot be created for all incidents. If analysis of a transaction takes more than 5 minutes, the pcap file is discarded before the system determines whether or not an incident has occurred.

Incidents that do not have a corresponding pcap file are still logged, and still appear in the table on the Incidents page.

The session number for incidents without pcap files is displayed in black text. The session number does not link to any content.

The session number for incidents that do have pcap files is displayed in blue text. Click the session number to open the pcap file associated with the incident.