27. General Settings » Data Retention

In Configuration » General Settings » Data Retention, you can review the software’s disk usage and set how long data is retained.

DATA_RETENTION

Data Retention Settings parameters:

IP Accounting Data – This can generate thousands of tables over time (each table = 1 day × 1 Sensor interface). Keep retention days low to limit table creation
IP & Sensor Tops – These tables grow quickly because they store binary data for Sensor Tops. If disk space is limited, use a low retention
Console Events – These events contain logs of configuration changes, user logins, etc. Retain this as long as feasible
Other Events – These events are stored in a single SQL table. Keep the row count under a few million to maintain Console performance
Anomaly Data – Stores attack-related info. Retain for as long as possible
Response Data – These tables assist in troubleshooting and typically do not grow rapidly under normal usage
System Commands – These tables are useful for troubleshooting. They don’t grow up fast in normal conditions
Packet Dumps – The filesystem paths for packet dumps can be changed via General Settings » Graphs & Storage
Raw Flow Data – The filesystem paths for flow data can also be changed via General Settings » Graphs & Storage
InfluxDB Retention Policy – If using InfluxDB in General Settings » Graphs & Storage, you can configure its data retention period here
RRD files – If using RRDTool in General Settings » Graphs & Storage, expand this fieldset to see how much disk space it consumes

Note

✔ If the data is stored on an SSD disk, it’s essential to keep the disk usage below 80-90% to avoid performance losses due to Over Provisioning
✔ If the number of rows used by the database tables is in the millions, expect sudden performance losses caused by MySQL/MariaDB indexes
✔ As a rule of thumb, it’s best to only keep the data you actually need, for as long as you need it

The database is purged of old data once every hour, so Data Retention changes may not appear immediately. Use the following command to remove old data:

[root@console ~]# sudo -u andrisoft /opt/andrisoft/bin/WANmaintenance

On some systems, MySQL/MariaDB won’t fully reclaim freed space and reserves it for future use. To reclaim disk space, run the following command on the Console server (this may take a significant amount of time):

[root@console ~]# /opt/andrisoft/bin/WANmaintenance optimize_db

You can back up the entire database by running the following command on the Console server:

[root@console ~]# /opt/andrisoft/bin/WANmaintenance backup_db

You can back up only the software configuration by running the following command on the Console server:

[root@console ~]# /opt/andrisoft/bin/WANmaintenance backup_config

The resulting backup file is placed in the current directory. To restore it on a different Console server:

[root@new_console ~]# mysql -p andrisoft < wanguard_*.sql

27.1. Disk Full Troubleshooting

Like any other system resource, disk space is limited. The software can collect and store very large quantities of data, depending on its configuration. If you think it’s using up too much disk space, read through this section to understand what might be the cause and how to prevent the disk being filled in the future. When the disk is full on the Console server, it’s no longer possible to log in and some components will fail to run!

Unless you changed the default path for storing flows, graphs and dump files, you can use the ncdu utility or the following command to see what is using up your disk space (this may take up to a few minutes, depending on how many files you have):

[root@server ~]# du -ch -d 1 /var/lib/mysql/andrisoft /opt/andrisoft /var/lib/influxdb/data/andrisoft

27.1.1. Database

If the /var/lib/mysql/andrisoft directory occupies too much disk space, lower the parameters from Data Retention. The database is purged from old data once every hour, so the changes in Data Retention will not be immediately visible. Also, on some distributions, MySQL/MariaDB will not free up the deleted data and instead it will reserve the resulted disk space for future use. To reclaim the newly freed up disk space, execute the following command on the Console server (it might take a very long time to execute):

[root@console ~]# /opt/andrisoft/bin/WANmaintenance optimize_db

If the disk got filled then it’s very likely that the database got corrupted and cannot be started. If this is the case, free up some disk space and execute:

[root@console ~]# /opt/andrisoft/bin/WANmaintenance repair_db

27.1.2. Packet Dumps

If the /opt/andrisoft/dumps directory occupies too much disk space, this means you have either done large packet dumps manually, or you have configured the software to capture large packet dumps in Network & Policy » Responses.

  • Recheck the configuration of the Traffic Capture actions, going side by side with the New Packet Capture section, which explains each field in detail. Configuring the Max. Packets parameter is the best way to avoid unnecessarily large dump files.

  • Configure the software to delete old pcap files automatically in Data Retention » Packet Dumps.

  • If you need to clear up some disk space immediately, you can manually delete any files/directories from within the /opt/andrisoft/dumps directory but not the dumps directory itself. If you decide to delete directories or files manually, please allow the software to create them back automatically and do not attempt to recreate them by yourself.

27.1.3. Flows

If the /opt/andrisoft/flows directory occupies too much disk space, this means the Flow Sensor is receiving lots of flows and you have chosen to save them by enabling the Flow Collector option.

  • As a first attempt to lower the disk space consumption of flows, select a more efficient Compression Algorithm.

  • Configure the software to delete old flows automatically in Data Retention » Flow Collectors.

  • If you need to clear up some disk space immediately, you can delete any files/directories manually from within the /opt/andrisoft/flows directory but not the flows directory itself. If you decide to manually delete directories or files, please allow the software to create them back automatically and do not attempt to recreate them by yourself.

27.1.4. IP Graphs (InfluxDB)

If the /var/lib/influxdb/data/andrisoft directory occupies too much disk space, then you probably configured the software to generate graph data files for a very large number of IPs.

  • The software can be configured to store graph data locally or on a remote server. If the existing Console doesn’t have enough disk space, you could use another server just for storing graphs.

  • By default, the graph data is saved in influxdb under the database “andrisoft”. You can delete the existing database by executing the “DROP DATABASE andrisoft” command from within influxdb CLI. Then, you can recreate the database in General Settings » Graphs & Storage.

27.1.5. IP Graphs (RRDTool)

If the /opt/andrisoft/graphs directory occupies too much disk space, this means you have either configured the software to generate graph data files for a very large number of IPs, or you have configured graph data files to contain an unnecessarily large amount of information.

  • Since version 7.2 is possible to use InfluxDB instead of RRD files to store graph data. InfluxDB uses less disk space, so you should seriously consider using it.

  • To find out how much disk space each IP graph file requires, go to General Settings » Graphs & Storage. Tweaking the Accuracy of Round Robin Archive, Decoders, Stored Units or the Consolidation Functions modifies the IP graph file size, which is dynamically displayed in the bottom section of the Configuration window. It is possible that a lot of unnecessary information is stored for each IP and therefore it is best to reconsider the necessity of each option. The configuration is applied to all IP graph files, and it is currently not possible to choose different configuration options for different IP prefixes.

  • We strongly suggest disabling IP graphing for very large IPv4 prefixes or IPv6 prefixes from the Network & Policy » IP Zone. Depending on what you have configured in the General Settings » Graphs & Storage window, the software calculates how much storage is required in case you choose to turn on IP graphing for any IPv4 prefix. This is displayed in the “Storage Requirements” column of the IP Settings section, in the IP Zone Configuration window. You can immediately see that turning IP graphing on for large IP prefixes is not a good idea.

  • It is important to know that the software generates IP Graph files at their maximum size and updates them accordingly without modifying the size afterward. Therefore, you cannot rely on the fact that an IP has little traffic and won’t occupy much space. An IP graph file is generated at the first packet that has that IP as a source or a destination address. A simple network scan on a /8 prefix for which IP graphing is enabled can flood your hard disk with full-sized IP graphing files.

  • You can aggregate IP graphing information collected by multiple Packet Sensors or Flow Sensor interfaces by using a Sensor Cluster.

  • If you need to clear up some disk space immediately, you can manually delete any files/directories from within the /opt/andrisoft/graphs directory but not the graphs directory itself. If you decide to delete directories or files manually, please allow the software to create them back automatically and do not attempt to recreate them by yourself. To delete the IP graph files which were not updated in the last 90 days, execute:

[root@console ~]# find /opt/andrisoft/graphs/ips -mtime +90 -type f -exec /bin/rm {} \;