Question & Answer
Question 2: Should users implement some data retention policy for the Storage Account?
The simplified calculations could consist of Number of partitions times space taken by each log source configured in QRadar:
There are max 32 partitions for each Azure Event Hub Log Source. Each log source would end up being approximately 140 Bytes. With this formula, the space taken by the metadata would be 32x140 Bytes (for each of the Event Hub configured).
Note: This is a raw estimate based on testing done in IBM labs. However, you can see that the space needed in the Storage Account is minimal.
The Storage Account is for permanent storage of the metadata and QRadar users should avoid modifying or deleting the contained files.
If the Storage Account owner changes the connection information (in the log source configuration) to use a different:
- Storage Account
- Consumer group name
- Event Hub name
In those cases the original files wouldn't be used anymore, so the Storage Account ower would be free to do what they want with that unused data.
Was this topic helpful?
06 May 2020