Configuring the retention period of Kaspersky Anti Targeted Attack Platform system logs and alerts

You can configure the retention period of some logs and alert data in the database of the Central Node component, as well as the retention period of the Sensor and Sandbox logs. By default, the alert data in the Central Node database is rotated when the number of alerts by a particular technology reaches 1,000,000. The default retention period for logs is 90 days.

You can configure log retention for the Central Node and Sensor components in the administrator menu of the Central Node or Sensor component. You can configure the retention of the Sandbox log using standard tools of the operating system.

You can configure the retention period for the following logs:

• Central Node or Sensor:
  • Syslog.
  • user_actions.log, log of user actions in the web interface.
  • kern.log, kernel event log of the operating system.
  • auth.log, log of user authorization in the web interface and the administrator menu of the component.
• Sandbox:
  • apt-history.log, the update log.
  • apt-audit.log, the system event audit log.
  • user_actions.log, log of user actions in the web interface.
  • auth.log, log of user authorization in the web interface and the administrator menu of the component.

To configure the retention period of the Central Node or Sensor logs, as well as the retention period of alert data in the Central Node database:

1. If you want to configure the retention period for logs and alert data in the Central Node component database, log in to the management console of the Central Node server using SSH or a terminal.
2. If you want to configure the retention period for Sensor logs, log into the management console of the Sensor server using SSH or a terminal.
3. When the system prompts you, enter the administrator user name and the password that was specified during installation of the component.

   The application component administrator menu is displayed.

4. Select Program settings.
5. Press ENTER.

   This opens the Select action window.

6. Select Configure storage period for detects and logs.
7. Press ENTER.

   This opens the Configure storage period window.

8. Select Change storage period.

   This opens the Storage period window.

9. In the Storage period field, specify the log retention period in days. The maximum log retention period that you can specify is 10,000 days.

   The default value is 90.

10. Select Apply Changes.

    This opens the Apply storage period window.

11. In the displayed window, select OK.

The retention period for Central Node or Sensor logs and the retention period for alert data (when Central Node settings are changed) is configured.

To change the retention period for Sandbox logs:

1. If you want to change the retention period of the apt-audit.log, apt-history.log, user-actions.log logs, open the /etc/logrotate.d/apt-audit file for editing as root and change the 'rotate' setting of the relevant log.
2. If you want to change the retention period of auth.log, open the /etc/logrotate.d/auth file for editing as root and change the 'rotate' setting.

   The maximum log retention period that you can specify is 10,000 days. By default, the log retention period is 90 days.

The retention period for Sandbox logs is configured.

Page top