Archiving incident partitions

The incident database is partitioned every 90 days. To optimize performance, archive partitions periodically.

The Forcepoint DLP keeps a dynamic tally of incidents, which are automatically saved in the Online-Active partition. When a partition is full, it becomes inactive, and a new, active partition is created to store incident data.

Use the Settings > General > Archive Partitions page in the Data Security module of the Forcepoint Security Manager to view a list of current partitions and their status. You can archive, restore, or delete a partition, and set storage limits.

The bolded first line of the Archive Partitions page lists the active partition. You cannot archive this partition, and if you delete it, its incidents are cleared but the partition is not removed. Event partitions represent roughly 3 months of time and hundreds of thousands of incidents.

When the reporting database is hosted on Microsoft SQL Server Standard or Enterprise, it can have a maximum of 8 online partitions (approximately 2 years). Refer to Remote SQL Server machines section, for special instructions.

SQL Server Express, on the other hand, can have one active partition for the current quarter. In addition, you can have up to 4 online partitions (approximately 1 year), 4 restored partitions (1 year), and 12 archived partitions (3 years of records).

The columns in the archive list are sortable.

Column Description
ID An internal identification number for the partition, beginning with the year. Click incident partitions to select them for archiving.
Status

The current status:

  • Online-Active marks the partition into which local incidents are dynamically stored.
  • Online indicates a former (now full) Online-Active partition. This partition is no longer active, but it has not been archived or deleted.
  • Archive marks partitions that have been archived in an offline location.
  • Deleted marks partitions that have been permanently deleted.
  • Restored marks partitions that were restored to Online status after having been archived.
From The date of the first event logged in the archive.
To The date of the last event logged in the archive.
# of Incidents The number of incidents currently collected in the archive.
Location The location of the archive, whether local or at an external IP address.
Path The complete path to the external storage.
Comments Optional, administrator-added comments about the archive.
Show deleted partitions When selected, deleted partitions are displayed in the Archiving list.

Use the buttons in the toolbar at the top of the content pane to archive, restore, or delete selected partitions.

Button Description
Archive Send a selected archive to offline storage. See Archiving a partition section.
Restore Restore a selected archived partition. See Restoring a partition section.
Delete Permanently delete a selected partition. See Deleting a partition section.
Settings Open a settings paged used to define the archive size and storage location. See Archive storage section.