Skip to content

Compression

Some detection rules, especially if not optimally configured for your needs, can generate thousands of events per hour. If a ticket is not being promptly investigated and closed on time, the body of accumulated data can grow enormously.

To make the investigation manageable older tickets are regularly "cleaned up". Compression of certain data items allows to maintain both the database storage and specific tickets at a reasonable size, making LogMan.io Alerts much faster and more flexible.

Compression checks are performed every 12 hours.

Events Compression

Compression is regularly performed for associated events and their timeline records, meaning some events assigned to the ticket are removed.

Default Configuration

[compression:event]
ticket_lifetime=1W # (1)
events=100 # (2)
trailing=10 # (3)
trigger=10 # (4)
  1. Only tickets older than 1 week are being compressed
  2. Keep 100 events in a ticket
  3. Keep 10 latest events, the rest being the oldest events of this ticket
  4. Do not compress data unless 10+ extra items have been accumulated

Supported age postfixes:

  • Y: year, respectively 365 days
  • M: month, respectively 31 days
  • W: week
  • D: day
  • h: hour
  • m: minute

For example: "3h" (three hours), "5M" (five months), "1y" (one year) and so on.