By default, the Forensics Repository is configured with a maximum folder size of 50GB. When the Forensics Repository reaches its capacity, at least 15% of its size is freed by overflowing its oldest forensics to the Incident Archive folder in the automatic_archiving folder. Despite the name of the folder, this is not a traditional automatic archive of DLP incident partitions and is simply a temporary holding space for rollover forensics. The incidents associated with these forensics will not be archived unless a manual archive is performed or the environment reaches its maximum online partition count of 8 and initiates Automatic Archiving upon the next scheduled partition creation.
The Archive Storage folder is located within %DSS_HOME%archive_mng\storage on the DLP Management Server by default. The default maximum size of the location is also 50GB, but can be modified if the location is set to be remote (the same local location can still be used as long as the folder itself is shared). For more information, refer to the documentation regarding Archive Storage.
Please note that if the Incident Archive folder reaches its own configured limit, it will irreversibly delete 10% of rollover forensics in an attempt to free up space. It is therefore very important that the environment never reaches its Forensics Repository or Archive Storage folder limits during normal operation.
Option One - Increase the Maximum Size Limit of the Forensics Repository
Modify the Forensics Repository Properties of the DLP Management Server within System Modules in order to increase the maximum size limit to an total amount (up to 2TB, or 10TB as of v8.9.1 and above) that is expected to not be reached for the overall Forensics Repository size (as a sum of forensics across all active partitions) during a standard business quarter, or before incident partitioning can be performed in response.
By default, a maximum of 8 online partitions (approximately 2 years worth of forensics) is possible when the reporting database is hosted on Microsoft SQL Server Standard or Enterprise. Therefore the Forensics Repository should be sized in accordance to its projected "maximum" size of 8 active online partitions. The creation of a new partition would automatically archive the oldest incident partition, but a manual archive (see below) can be performed to immediately free up space if needed.
See Modifying the DLP Incident Partition Interval for steps to alter the interval period for partition creation from its default of 91 days. For example, if the interval is reduced to be monthly, the maximum of 8 active partitions will be reached earlier and thus automatic archival will occur more frequently.
Option Two - Regularly Archive Older DLP Incident Partitions
Note In order to perform archiving, the
Temporary File Location must be configured from the Forcepoint DLP installer. If there are issues configuring this step, refer to this article for more information.To free storage space for new incidents (on the SQL database) and forensics records (within the Forensics Repository), older partitions can be exported to the archiving folder. If desired, a
manual archive of incident partitions can be performed through the
Settings >
General >
Archive Partitions page. This would serve to backup and detach the tables corresponding to the incident partition from the wbsn-data-security SQL database and couple it with the forensics corresponding to that partition's time range and move both to the Archive location. This has the end result of clearing up space from the Forensics Repository folder and the SQL database, and thus can be used to bring the Forensics Repository directory back to within the maximum size limits.
If the incident partition has an extremely large amount of incidents and/or the total size is large, the archival process may stall indefinitely at the point where it attempts to move over all of the target incident forensics to the new location.
In this case, consider manually moving the forensics for the partition's time range over to the archive location or anywhere else so that the archive process only considers the SQL table backup. As long as the Forensics Repository's folder structure is kept intact, the same forensics folders can be manually moved back to the Forensics Repository to restore the forensics in the event that they are needed again.
In order to clear up a stalled archive process, please refer to the following article:Resetting the Forcepoint DLP Partition Archiving StatusIf there is a desire to reduce the incident partitioning interval, thus creating more manageable "chunks" of incidents and forensics that can be archived more frequently, please refer to the following article:
Modifying the DLP Incident Partition Interval Option Three - Delete Unnecessary Forensics
In the case where there are incidents that are not useful, such as when an improperly configured DLP policy triggers a large amount of false positives or triggers an extremely large amount of unnecessary incidents, the incidents can be deleted using the
DLP Incidents Workflow to remove both the incident from the SQL database and its forensics, freeing up space on both environments. Using the report filters, the table can be configured to display all unnecessary incidents in order to
delete all filtered report incidents.
Please note that Discovery incidents do
not undergo partitioning and are never removed automatically. Ensure that the incident count is kept at a reasonable amount and delete unnecessary Discovery incidents when possible.