The alert and incident retention conditions are determined by the following criteria:
Retention period. By default, alerts and incidents are retained in KUMA for a year. This period can be changed by editing the application startup parameters in the file /usr/lib/systemd/system/kuma-core.service on the KUMA Core server. See the "Setting the retention period for alerts and incidents" section later in this article.
Deletion conditions. After the expiration of the specified retention period, if certain conditions are satisfied, alerts and incidents may be retained further. See the "Alert and incident deletion conditions" section later in this article.
There are no limitations on the size of a stored alert.
Setting the retention period for alerts and incidents
You can change the alert and incident retention period in one of the following ways:
In the KUMA web interface
On the command line
To change the retention period for alerts and incidents in the KUMA web interface:
In the KUMA web interface, go to the Settings → Other → General section.
In the General window, under Core properties, specify the Alert retention period, days.
The retention period for alerts and incidents will be changed.
To change the retention period for alerts and incidents on the command line:
Log in to the OS of the server where the KUMA Core is installed.
In the /usr/lib/systemd/system/kuma-core.service file, edit the following string by inserting the necessary number of days:
ExecStart=/opt/kaspersky/kuma/kuma core --alerts.retention <retention period for alerts and incidents in days> --external :7220 --internal :7210 --mongo mongodb://localhost:27017> --external :7220 --internal :7210
Restart KUMA by running the following commands in sequence:
systemctl daemon-reload
systemctl restart kuma-core
The retention period for alerts and incidents will be changed.
Alert and incident deletion conditions
KUMA applies the following alert and incident deletion conditions:
If an alert is older than the retention period, its events are deleted regardless of the alert status.
If an alert is older than the retention period, has the Closed status, and is not linked to an incident, the alert is deleted.
If an alert is older than the retention period (regardless of the alert status) and is linked to an incident whose retention period has not yet expired, the alert events are deleted, the alert itself without events is available for display and remains linked to the incident without the events.
If the incident is older than the retention period, the status of the incident is Closed, and it has no linked alerts, the incident is deleted.
If an incident is older than the retention period, the status of the incident is Closed, and only alerts older than the retention period are linked to it (the status of alerts linked to a closed incident is always Closed, incident closed), the incident is deleted together with all its alerts and events.
If an incident is older than the retention period (regardless of the status of the incident), and it has linked alerts that have not yet expired, nothing is deleted.
If an incident is older than the retention period, has a status other than Closed, and alerts older than the retention period are linked to the incident, the incident is not deleted, alerts are not deleted, but events of the alerts are deleted.
Empty alerts (alerts without events whose retention period has expired) are deleted together with incidents when the incident satisfes deletion conditions in accordance with the retention period are satisfied (the incident has the Closed status and its retention period has expired).
If an incident is older than the retention period, the status of the incident is Closed, and the incident has linked alerts that are older than the retention period and some alerts that have not yet expired, the incident is not deleted; alerts that have not yet expired are not deleted; events of expired alerts are deleted, and the alerts themselves remain empty and linked to the incident.
The conditions are independent, none of the conditions are mutually exclusive.