Data Retention

As of July 2020, the data retention policies for Sysdig Monitor and Sysdig Secure are as described below.

When a host or instance is no longer monitored, i.e. when an agent is uninstalled, the historical data continues to be retained for the stated times.

Note: If required, you can change the standard data retention settings by using Sysdig’s REST API. A Sysdig support team or professional services member should assist, as there are a variety of storage and timeline implications to consider before making such a change.

Sysdig Monitor Retention Limits

Metrics data10s : 4 hours

1min : 2 days

10 min : 2 weeks

1 hr: 3 months

1 day: 12 months
EventsAlert events: 30 days

Custom events: 14 days or 10M (per account)
Captures90 days

Sysdig Secure Retention Limits

EssentialsEnterprise
Policy events1M events or 90 dayssame as Essentials
Activity audit5 days90 days
Benchmarks30 days90 days
Scan results

The image eviction conditions above are applied simultaneously; the retention policy will trigger for the first one that matches.
Image data is kept for a maximum of 7 days.

Sysdig Secure will retain a maximum of 3 tags per repository and a maximum of 3 different images per tag *

Images used by a container that is monitored by a Sysdig agent (Runtime images) will always be kept, regardless of the limits above.
Image data is kept for a maximum of 90 days.

Sysdig Secure will retain a maximum of 5 tags per repository and a maximum of 5 different images per tag *

Images used by a container that is monitored by a Sysdig agent (Runtime images) will always be kept, regardless of the limits above.
Vuln Management Reports14 dayssame as Essentials
Captures90 dayssame as Essentials

* For example, consider an Essentials account with a combination of registry/repo:tag - (i.e. docker.io/alpine:3.12.1) that already contains three different image digests. If a new image digest is pushed to the same name, the oldest image will be evicted, regardless of its age.