IBM QRadar

Hello

I have recently taken over our QRadar SIEM support - very new to this. One of the tasks I am trying to complete is removing old log sources which have not been sending events (likely decommissioned but never removed from QRadar) in over 2 years. 

My question is this...when I delete a log source, what happens to any logs which were ingested in to QRadar? Do those delete or archive? Or do they remain in our database? 

Thanks in advance for your help!

Jeannie

------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------

Hi Jeannie,

It's been a while but if I recall correctly, the logged payloads will sit in the Ariel database, until the retention policy you have set for the domain removes those payloads from storage.

If you have more than the one default domain, the retention policy can be adjusted for each domain.

------------------------------
Darren H.
------------------------------

Original Message:
Sent: Wed December 14, 2022 11:34 AM
From: Jeannie Burrell
Subject: Log Source Deletion and Historical Logs

Hello

I have recently taken over our QRadar SIEM support - very new to this. One of the tasks I am trying to complete is removing old log sources which have not been sending events (likely decommissioned but never removed from QRadar) in over 2 years. 

My question is this...when I delete a log source, what happens to any logs which were ingested in to QRadar? Do those delete or archive? Or do they remain in our database? 

Thanks in advance for your help!

Jeannie

------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------

Hi Jeannie
in Addition to what Darren said correctly some more comments.
the historic log records have been deleted after two years most probably. Simply search for the records listed in last record.
log source are stored in Postgres. Deleting them buys nothing as records just get a deleted flag. But you are loosing historical context information you may need at a later point in time. If you replace hundreds of log source of same type on a regular basis , eg Windows, you just delete them of course.
br Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Wed December 14, 2022 11:34 AM
From: Jeannie Burrell
Subject: Log Source Deletion and Historical Logs

Hello

I have recently taken over our QRadar SIEM support - very new to this. One of the tasks I am trying to complete is removing old log sources which have not been sending events (likely decommissioned but never removed from QRadar) in over 2 years. 

My question is this...when I delete a log source, what happens to any logs which were ingested in to QRadar? Do those delete or archive? Or do they remain in our database? 

Thanks in advance for your help!

Jeannie

------------------------------
Jeannie Burrell
jeannie.burrell@pattersoncompanies.com
------------------------------