Data Retention
This topic lists the Sysdig data retention policies. When a host or instance is no longer monitored, such as when the agent is uninstalled, the historical data continues to be retained for the times stated below.
Sysdig Secure Retention Limits
| Component | Retention |
|---|---|
| Activity Audit | Kubernetes(kube) and Cmd (command) comply with the runtime data retention policy.Net ( connection) and File (fileaccess) the minimum between 7 days and the runtime data retention. |
| Captures | Runtime data retention policy. |
| CSPM (Posture + Inventory) | Resource data is refreshed every 24 hours when a posture evaluation is run. Stale data (data from a failed scan because of a disconnected/removed agent, deleted cluster/account, or because the account lost its permissions) is shown for 7 days since the last scan. Compliance data is stored for a year. |
| Pipeline Results (cli-scan ) | 90 days |
| Policy Events | Runtime data policy, up to 1 million events. |
| Registry Scanning Results | 90 days |
| Reports | 7 days for all reports generated as a PDF, CSV, or JSON. This includes Vulnerability Management (VM), Compliance, and Posture reporting. |
| Runtime Reporting | Available through VM reporting, this report includes workloads active when the report was created, as well as those terminated within the prior 24 hours. |
| Runtime view | Workloads disappear from the Runtime view within 15 minutes after termination. Workloads will never expire as long as they are running. |
| Sysdig Platform Audit | 90 days. |
| Vulnerability Management Reports | 14 days |
| IAM Resources | 24 hours. |
Runtime data retention policy is based on your subscription and available in your subscription page. In case this not specified in your contract, it’s 90 days. If required, you can change the standard data retention settings using Sysdig REST API. Contact your Sysdig support team or professional services for assistance as there are a variety of storage and timeline implications to consider before making such a change.
Sysdig Monitor Metric Retention Limits
| Metric Granularity (Samples) | Retention |
|---|---|
| 10s | 7 days |
| 1m | 14 days |
| 10m | 30 days |
| 1h | 3 months |
| 1d | 12 months |
Sysdig Monitor Events Retention Limits
| Components | Retention |
|---|---|
| All Events The total event limit includes all event types: Infrastructure, Alert, Sysdig, and Custom events. | 2,000,000 Total |
| Captures | 90 days |
| Custom Events | 30 days |
| Infrastructure Events | 30 days |
| Resolved Alert Events Acknowledged Alert Events | 30 days |
| Sysdig Platform Audit | 90 days |
| Unresolved Alert Events Unacknowledged Alert Events | 30 days |
