Retention periods can be configured per data source from the data source menu, allowing you to granularly cover compliance needs. By default each log message is kept for 3 months, but this can be extended.
We split the logs into hot, warm and cold storage in order to make search and storage efficient:
- Each log is kept in hot, searchable storage for 1 week
- After 1 week, logs are transferred to a warm, searchable storage for 1 month
- After the 1 month expires, logs are moved to cold storage
This approach allows us to offer practically unlimited retention (capped at 2 years, but extendable upon request in accordance with regulatory requirements).
With our SaaS offering, logs are stored in the AWS region that the LogSentinel SIEM deployment operates in. By default this is eu-west-1, so if customers need data to be stored in another region, this should be requested.
Log retention for on-premises setups¶
On-premises setups use the same approach, except the warm and cold storage need to be handled on the customer infrastructure.