/var/vigilante/agent_events/
, to ensure data consistency. If a Sensor loses connectivity to the server, it will continue to write to these cache files to prevent event loss. Once the Sensor reconnects, it will begin forwarding from this cache again, submitting events to the server for correlation.
Sheriff CSM Server, on the other hand, stores security events in two different tables:
backup_events_min_free_disk_space
, to set the minimum free disk space required for event backup to take place. The default is 10%. If the free disk space on the system is less than this setting, event backup will not start.
To change any of the default values for event backups: Change the Allowed free disk space for the SIEM backups, if desired.
Available values are 10% and 15%. Default is 10%.
Change the Number of Backup files to keep in the filesystem, if desired.
Sheriff CSM keeps one backup file per day for event backups. Default is 30.
Change the number of days to keep events in the database, if desired.
0 means that there are no backup for events. Default is 90.
Alternatively, change the number of events you want to keep, if desired.
0 means that there is no limit to store events in the database. Default is 40,000,000
Important: Sheriff discourages setting either limit to 0 because you may soon run out of disk space.
/var/lib/vigilante/backup
. By default, it keeps 30 backup files, which correspond to 30 days of events. You can restore the events generated on a certain day.
Important: If you are running Sheriff CSM version 5.6 or later, you cannot restore event backup files from an earlier version. This is due to a schema change in the SIEM database introduced in Sheriff CSM version 5.6, making the backup files from earlier versions incompatible.
To restore events from the Sheriff CSM web UI: Select the date you want to restore.