IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Old Log Retention of Deleted Log Source

    Posted Wed October 20, 2021 08:18 AM

    We are going to delete some log sources because our customer is going to dismiss the servers.

    Are old logs kept in the Ariel DB until the retention period expires?



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Old Log Retention of Deleted Log Source

    Posted Wed October 20, 2021 08:37 AM

    Hello Davide,

    Yes. The logs will be in Ariel DB and will be removed as per your retention policy defined.

    Thanks!

    Ashish Kothekar



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Old Log Retention of Deleted Log Source

    Posted Wed October 20, 2021 08:41 AM

    Thanks Ashish for your quick response.

    In addition, when we have deleted the log source, how could we retrieve the logs of this deleted log source if customer asks us to do this?



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Old Log Retention of Deleted Log Source

    Posted Thu October 21, 2021 05:58 AM

    Hello Davide,

    There is no straight forward way to fetch the logs of the deleted log source from GUI. When you delete the Log Source, the Log Source information and soft links to data are deleted but the data remains in the Ariel DB as per Retention policy.

    The retrieval of such data is a bit tricky. If you have say a CMT export of Log Source ( before deleting the log source ), you can try importing it back again. This should enable the data to be searched.

    This is not supported way but just something that you can try. Also the data could still be searched based on say Source IP or any other filter but for log source identity.

    Thanks!

    Ashish Kothekar



    #QRadar
    #Support
    #SupportMigration


Related Content