IBM Support

QRadar: How to create a retention bucket to preserve SIEM audit data

Question & Answer


Question

By default QRadar SIEM audit logs are maintained for 1 month. Using retention buckets, it is possible to preserve them for longer periods of time.

Answer

The QRadar audit logs are parsed into events. These events are parsed by the SIM-Audit-2 DSM and are maintained in the default Event Retention Bucket. The default Event Retention Bucket is configured out of the box to maintain all events for a one month period. If you want to maintain your SIEM audit data for longer periods of time, you can configure a new Retention Bucket to filter for the SIM-Audit-2 events and maintain them longer. The following procedure describes how to make such a configuration.

Procedure
  1. Log in to QRadar User Interface as an administrator.
  2. Click the Admin tab.
  3. Click the Event retention icon.
  4. Verify that the Tenant drop-down is N/A.
  5. Select an Event Retention Bucket.
  6. Click Edit.

  7. Configure the appropriate options in the Retention Properties form.

    1. Select Log Source from the Current Filters drop down. In the log sources that are listed, identify SIM Audit-2 Log source and click Add Filter.
    2. Use the Keep data placed in this bucket for field to set your retention period. In our example, it is set to 1 year.
    3. The Delete data in this bucket field determines how the data is treated after the retention period is over. You can choose to delete the data immediately or as space is needed.
    4. The Name and Description fields are for user benefit and have no effect on the operation of the retention policy.
  8. Click Save to return to the Event Retention page. By default the new bucket will be created as enabled. Verify that it is enabled and click Save.

 

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
18 January 2021

UID

swg21988163