Automatic archiving

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Archiving Forcepoint DLP Incident Data : Automatic archiving

Automatic archiving

Automatic archiving occurs when there are too many incident partitions, or when there is insufficient disk space for the forensics repository.

When there are too many online partitions

The incident database has one active partition and stores up to 8 partitions online.

When a new active partition is created after the 91-day period, the old active partition changes to online status.

When the maximum number of online partitions has been reached, the oldest partition is archived.

Both incidents and their forensics data are archived.

Forcepoint DLP administrators can view and restore the archived partitions.

When there is not enough disk space

When the forensics repository consumes 100 percent of the allotted space (50 GB, by default), a notification is issued, and archiving occurs automatically.

Automatic archiving starts with the oldest records and continues archiving until at least 15 percent of the allotted disk space is free.

Archiving includes forensics data, but not incidents.

When this type of automatic archiving is initiated, the system checks to see whether the newly archived data will cause the archive folder to exceed its designated maximum size (50 GB, by default).

If the addition of new records will make the folder too large, the oldest automatically archived records are deleted to free 10 percent of the archive folder's maximum size.

If 10 percent of the allotted space cannot be made available by deleting automatically archived records, a system log message (with a severity of "warning") is issued.

Configure the size of the archive folder on the Settings > General > Archive Storage page in the Security Manager.

Automatically archived records created when there is not enough disk space are considered private. Forcepoint DLP administrators cannot see them.

These archives:

Cannot be restored by the administrator, even though they are stored in the same place

Are stored in a format that can be restored by Forcepoint Technical Support

The Technical Support representative can also identify the creation dates of archived records.

Threshold alerts

An alert is sent when the forensics repository approaches or reaches the maximum alloted disk space (50 GB, by default).

Configure the maximum size of the forensics repository on the Settings > Deployment > System Modules page in the Security Manager.

The following alerts are issued once each time the thresholds are surpassed.

Disk space usage crossed X% of allowed space

Two alerts of this type are issued: one at 80% and one at 90%, by default. At crossing the first threshold, the alert severity is "information." At the second threshold, the severity is "warning."

Disk space usage crossed 100% of allowed space, some records were automatically archived

The severity of this alert is "warning."

Administrators can also configure alerts to be sent when the archive disk space approaches its limit. This is done on the Settings > General > Alerts page.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Archiving Forcepoint DLP Incident Data : Automatic archiving

Copyright 2018 Forcepoint. All rights reserved.