Retention periods can be configured per data source from the data source menu. By default each log message is kept for 1 year, but this can be extended.
We split the logs into hot, warm and cold storage in order to make search and storage efficient:
- Each log is kept in hot, searchable storage for 2 weeks
- After 2 weeks, logs are transferred to a warm, searchable storage for 1 month
- After the 1 month expires, logs are moved to cold storage where they are picked up and reindexed when the query contains the right time period
This approach allows us to offer practically unlimited retention (capped at 3 years, but extendable upon request in accordance with regulatory requirements).
Logs are stored in the AWS region that the LogSentinel SIEM deployment operates in. By default this is eu-west-1, so if customers need data to be stored in another region, this should be requested.