This article describes when the FortiSiem purges the data and how to change the purge schedule.
Scope
FortiSIEM.
Solution
Purging data varies from the storage setup.
To check when the system is purging the events, run the following command from the Super:
# cat /opt/phoenix/config/phoenix_config.txt | grep -i enforce_policy_at_hour
The result will look like the bellow statement which states it will start to purge on the 22nd hour of each day; 10 PM: >> Daily:
enforce_policy_at_hour=22 # <----- Local hour of the day to run policy enforcement.
The above value can be changed to any hour of the day from a 24-hour Time Clock. Once Changed then restart phDataPurger to force the new purge time scheduled to take effect:
# phtools --stop phDataPurger # phtools --start phDataPurger