We have DLP 9.3 deployed to our endpoints and as configrued we are keeping logs fo all files written to removable media for 1 year. Now that we've had it out there for awhile, we're interested in starting to keep records of these incidents longer, perhaps indefinitely. Can anyone point me in the right direction? It seems any search terms I can come up with to phrase this question are so generic I've had no luck searching the forum or Google.
After 1 year, you never see the incidents?
Do you want to backup old incidents?
Please tell us exactly the issue you are facing with DLP 9.3 and then what you would like DLP 9.3 to do for you.
How many records in the database are we talking about for retention?
Does your security needs really require you to keep incident data for longer than 6 months or a year? There's no reason it wouldn't work to keep the data in the database and on the evidence share; your only limit would be how much resources are you going to be able to throw to your SQL server and evidence server.
By default, Host DLP solution does not purge incidents unless you tell it to do so [DLP Policy Manager - [ very bottom left ] Database Administration ] ]
Just be ready to have infinite space for your SQL DB and Evidence store and you will be ok