As of July 2020, the data retention policies for Sysdig Monitor and Sysdig Secure are as described below.
When a host or instance is no longer monitored, i.e. when an agent is uninstalled, the historical data continues to be retained for the stated times.
Note: If required, you can change the standard data retention settings by using Sysdig’s REST API. A Sysdig support team or professional services member should assist, as there are a variety of storage and timeline implications to consider before making such a change.
Sysdig Monitor Retention Limits
|Metrics data||10s : 4 hours1min : 2 days10 min : 2 weeks1 hr: 3 months1 day: 12 months|
|Events||Alert events: 30 daysCustom events: 14 days or 10M (per account)|
Sysdig Secure Retention Limits
|Policy events||1M events or 90 days||same as Essentials|
|Activity audit||5 days||90 days|
|Benchmarks||30 days||90 days|
|Scan resultsThe image eviction conditions above are applied simultaneously; the retention policy will trigger for the first one that matches.||Image data is kept for a maximum of 7 days.Sysdig Secure will retain a maximum of 3 tags per repository and a maximum of 3 different images per tag *Images used by a container that is monitored by a Sysdig agent (Runtime images) will always be kept, regardless of the limits above.||Image data is kept for a maximum of 90 days.Sysdig Secure will retain a maximum of 5 tags per repository and a maximum of 5 different images per tag *Images used by a container that is monitored by a Sysdig agent (Runtime images) will always be kept, regardless of the limits above.|
|Vuln Management Reports||14 days||same as Essentials|
|Captures||90 days||same as Essentials|
* For example, consider an Essentials account with a combination of
registry/repo:tag - (i.e.
docker.io/alpine:3.12.1) that already contains three different image digests. If a new image digest is pushed to the same name, the oldest image will be evicted, regardless of its age.