This is a VM-12 SIEM sitting on AWS cloud, running version 11.3.0. Two on-prem receivers feeding it (one per tenant)
We've set the two separate ELM storage pools up to store data for 13 months. But one of them appears to be retaining logs from as long ago as January 2020. When a colleague ran ls -lt in /elm_storage/subdirectory, this was the result:
Solved! Go to Solution.
This is normal behaviour. When the ELM stores data into an allocation, it compresses it and puts it into a storeroom file (max size 2GB). These files are tracked in the SR table of the management database. When one is full and the ELM needs a new file for a storage pool, it performs a lookup in the SR table and uses the oldest expired storeroom file.
If there are no expired storeroom files, the ELM attempts to create a new storeroom file. If it is unable to do so (due to all the allocations being full) it will be unable to insert the new data.
Thanks Luke, that's helpful. Just to clarify a couple of points: