Archiving audit data
 
Archiving audit data
DAM activity auditing and compliance audits that run with with alert PCI, SOX, and HIPAA policies generate data that is stored in the FortiDB repository. To conserve repository space and improve performance, you can move this data to archive files that you can return to the repository later.
FortiDB allows you to archive and retrieve the following types of data:
Assessment
Alert
Auditing (includes sniffer activity auditing data and SOX audit data generated by alert SOX policy)
Archiving data exports it to an excrypted file. When you retrieve data, FortiDB imports it back into its repository.
Depending on how often you assess or monitor databases and the number and type of policies and target databases involved, the archive files can consume a large amount of space. To make space available on your appliance, you can move the exported files to remote storage and retrieve them later, if necessary. FortiDB requires an FTP server for remote storage. You cannot use another type of server.
 
To generate reports using archived data, you first retrieve the data.
You cannot retrieve archived data if the target associated with the data is deleted. For example, if you archive assessment data for a target database and then delete the target configuration for that database, you cannot restore the archived assessment data.
The day and time that FortiDB created the archive is displayed in the Timestamp column on Retrieve tab.
You cannot retrieve any data that you have already retrieved. This limitation prevents duplicate records in the FortiDB repository.
Archiving example
In the following illustration, FortiDB archives assessments with a date between January 8, 2008 and January 10, 2008. (Because the archive interval starts at 0:00 a.m. on the start date and ends at 0:00 a.m. on the end date, FortiDB does not archive data for January 11.) The assessments for all other dates remain in the repository.
Archiving strategy
Plan an archiving configuration that is appropriate for your environment. For example, determine how often you archive data based on your volume of data, and when to start archiving based on that frequency.
For example, if you plan to keep up to 4 months worth of data in your FortiDB repository, wait 4 months after installing FortiDB before archiving for the first time. After 4 months, in the Archive Period field of the Archive tab, select 3 Month(s) and older. This value archives all results except those that FortiDB ran during the previous three months. Schedule the archive to run immediately by specifying the current date and time. After archiving, three months' worth of data remains in your repository.
To maintain this frequency, you can either repeat the process of creating a 3 Month(s) and older archive every month or schedule it to occur automatically at an interval or on a specified day of the week or month.
Archiving data
The manual archiving process allows you to archive all assessment and monitoring data using a start and stop date. The scheduled archiving process allows you to archive data based on the age of the data relative to the date on which FortiDB does the archiving.
To immediately archive data based on its age, use the scheduled archiving process (Enable Auto Archive) and specify the current time and date.
To configure remote archiving
1. On the navigation menu, go to Administration > Archive/Retrieve.
2. On the Remote Archive Configuration tab, enter the IP Address, port, username, password and remote path for remote FTP server.
The remote archiving feature works with an FTP server only.
3. Click the Save button to save the remote server configuration.
To archive data manually
1. If you want to send the archive to a remote server, complete the settings on the Remote Archive Configuration tab.
For more information, see “To retrieve archived data”.
2. In the navigation menu, go to Administration > Archive/Retrieve.
3. On the Archive tab, specify a start and end date for your archive.
 
Because the selected dates specify 0:00 a.m. on the start date and 0:00 a.m. of the end date, the archive does not include data generated on the end date.
4. Click Archive Now.
The message “Archiving Completed” is displayed in the Status area in the top-right corner of the page.
5. To send the archive to a remote server, on the Retrive tab, select the archive you just created, and then click Send to remote server.
To archive data according to a schedule
1. If you want to send the archive to a remote server, complete the settings on the Remote Archive Configuration tab.
For more information, see “To retrieve archived data”.
2. In the navigation menu, go to Administration > Archive/Retrieve.
3. On the Archive tab, select enable Enable Auto Archive.
4. Under Archive period, specify the end date for data in the archive by selecting the number of days, weeks, or months prior to the current date.
For example, 3 Month(s) and older creates an archive that contains all results except those that FortiDB ran in the last 3 months.
5. Under Run time, do one of the following:
Enter a time and date for Start at.
Under Recurrence pattern, select Hourly, Daily, Weekly, or Monthly.
Hourly
Specify the hourly interval in the Every __ hours field.
Daily
Specify the daily interval in the Every __ days field.
Weekly
Specify the weekly interval in the Every __ week(s) on field, and then specify one or more days of the week that FortiDB runs the archive on.
Monthly
Specify one or months to run your archive in, and then do one of the following:
Select Day and specify the day during the selected months FortiDB runs the archive on, using a number.
Select The <ordinal number> <day of week> of every, and then select a day of the week in each selected month to run the archive on. (For example, first Monday.)
6. To send the archive file to a remote server, select Enable remote archive.
7. To delete the archived file from FortiDB, select Delete archive file after sending to remove server.
8. Click Save Schedule.
To retrieve archived data
1. In the navigation menu, go to Administration > Archive/Retrieve.
2. On the Retrieve tab, do one of the following:
To retrieve an archive file that is stored on the appliance, in the list of files, select the file you want to retrieve, and then click Retrieve.
To retrieve an archive file that is stored on the remote server, for Archive file path on remote server, enter the archive file path on the remote server, and then click Get from remote server.
When the retrieval process is complete, the message "Restoring Completed" is displayed in the Status area in the top-right area of the page.
See also
Configuring monitoring using the TCP/IP sniffer (all database types)
Activity profiling