IBM Support

QRadar: Event or flow retention support policies

Question & Answer


Question

This article informs administrators about QRadar® Support policies. This document outlines out-of-scope work for event retention issue cases and the responsibilities of the QRadar administrator. 

Answer

Responsibilities for Event Retention cases

Administrators might have issues where data is not retained to meet a company data retention policy or data is kept too long and the disks fill requiring administrative action. This article explains what assistance can be given to administrators for event retention when an issue occurs.

Support type Description Responsibility
Event Retention assistance and error support
Administrators can use QRadar technical support to assist administrators with event or flow retention issues. For example, QRadar Support can:
 
  1. Troubleshoot issues where an event or flow retention policy fails to remove data for the scheduled retention period.
  2. Troubleshoot issues where an event retention policy removes data incorrectly.
  3. Investigate errors messages reported in the logs that relate to retention or storage.
  4. Assist administrators with disk space issues where services stop on the appliance. For more information, see QRadar Disk Space 101.
  5. Review whether performance issues are interfering with disk maintenance.
  6. Explain documentation or features for event or flow retention configuration in the user interface.
Resources
 QRadar technical support

To open a case or report an event retention issue, contact QRadar technical support
Out-of-scope for QRadar Support
The following activities are considered out-of-scope for technical support.
Support reserves the right to close cases related to the following issues:
 
  • Requests to configure, modify, or tune event or flow retention policies.
  • Advise administrators on long-term retention best practices or data audit requirements.
  • Provide security recommendations on the importance of specific event or flow sources for an organization.
  • Requests to recover data deleted without a backup.
For help with configuring long-term retention or tuning event or flow retention policies, contact IBM Security® Expert Labs

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
07 January 2022

UID

ibm16497235

Page Feedback