|
| 1 | +--- |
| 2 | +title: Configure data retention for logs in Microsoft Sentinel or Azure Monitor |
| 3 | +description: In this tutorial, you'll configure an archive policy for a table in a Log Analytics workspace. |
| 4 | +author: cwatson-cat |
| 5 | +ms.author: cwatson |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.topic: tutorial |
| 8 | +ms.date: 10/03/2022 |
| 9 | +ms.custom: template-tutorial |
| 10 | +#Customer intent: As an Azure account administrator, I want to archive older but less used data to save retention costs. |
| 11 | +--- |
| 12 | + |
| 13 | +# Tutorial: Configure a data retention policy for a table in a Log Analytics workspace |
| 14 | + |
| 15 | +In this tutorial, you'll set a retention policy for a table in your Log Analytics workspace that you use for Microsoft Sentinel or Azure Monitor. These steps allow you to keep older, less used data in your workspace at a reduced cost. |
| 16 | + |
| 17 | +Retention policies in a Log Analytics workspace define when to remove or archive data in the workspace. By default, all tables in your workspace inherit the workspace's interactive retention setting and have no archive policy. You can modify the retention and archive policies of individual tables, except for workspaces in the legacy Free Trial pricing tier. |
| 18 | + |
| 19 | +In this tutorial, you learn how to: |
| 20 | + |
| 21 | +> [!div class="checklist"] |
| 22 | +> * Set the retention policy for a table |
| 23 | +> * Review data retention and archive policy |
| 24 | +
|
| 25 | +## Prerequisites |
| 26 | + |
| 27 | + |
| 28 | +To complete the steps in this tutorial, you must have the following resources and roles. |
| 29 | + |
| 30 | +- Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). |
| 31 | + |
| 32 | +- Azure account with the following roles: |
| 33 | + |
| 34 | + |Built-in Role |Scope |Reason | |
| 35 | + |---------|---------|---------| |
| 36 | + |[Log Analytics Contributor ](/azure/role-based-access-control/built-in-roles) |- Subscription and/or </br>- Resource group and/or</br>- Table | To set retention policy on tables in Log Analytics | |
| 37 | +- Log Analytics workspace. |
| 38 | + |
| 39 | +## Set the retention policy for a table |
| 40 | + |
| 41 | +In your Log Analytics workspace, clear the inherit the workspace setting so the interactive retention period is fixed to 30 days. Then, change the total retention policy for a table like **SecurityEvents** to archive 30 days of data. |
| 42 | + |
| 43 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 44 | +1. In the Azure portal, search for and open **Log Analytics workspaces**. |
| 45 | +1. Select the appropriate workspace. |
| 46 | +1. Under **Settings**, select **Tables**. |
| 47 | +1. On a table like **SecurityEvent**, open the context menu (...). |
| 48 | +1. Select **Manage table**. |
| 49 | + :::image type="content" source="media/configure-data-retention/data-retention-tables.png" alt-text="Screenshot of the manage table option on the context menu for a table in the tables view."::: |
| 50 | +1. Under **Data retention**, enter the following values. |
| 51 | + |
| 52 | + |Field |Value | |
| 53 | + |---------|---------| |
| 54 | + |Workplace settings | Clear the checkbox | |
| 55 | + |Interactive retention | 30 days | |
| 56 | + |Total retention period | 60 days | |
| 57 | + |
| 58 | + :::image type="content" source="media/configure-data-retention/data-retention-settings.png" alt-text="Screenshot of the data retention settings that shows the changes to the fields under the data retention section."::: |
| 59 | + |
| 60 | +1. Select **Save**. |
| 61 | + |
| 62 | + |
| 63 | +## Review data retention and archive policy |
| 64 | + |
| 65 | +On the **Tables** page for the table you updated, review the field values for **Interactive retention** and **Archive period**. The archive period equals the total retention period in days minus the interactive retention in days. For example, you set the following values: |
| 66 | + |
| 67 | + |Field |Value | |
| 68 | + |---------|---------| |
| 69 | + |Interactive retention | 30 days | |
| 70 | + |Total retention period | 60 days | |
| 71 | + |
| 72 | +So the **Table** page shows the following an archive period of 30 days. |
| 73 | + |
| 74 | +:::image type="content" source="media/configure-data-retention/data-retention-archive-period.png" alt-text="Screenshot of the table view that shows the interactive retention and archive period columns."::: |
| 75 | + |
| 76 | +## Clean up resources |
| 77 | + |
| 78 | +No resources were created but you might want to restore the data retention settings you changed. |
| 79 | + |
| 80 | +## Next steps |
| 81 | + |
| 82 | +> [!div class="nextstepaction"] |
| 83 | +> [Configure data retention and archive policies in Azure Monitor Logs](/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2) |
0 commit comments