Data Retention

As of July 2020, the data retention policies for Sysdig Monitor and Sysdig Secure are as described below.

When a host or instance is no longer monitored, i.e. when an agent is uninstalled, the historical data continues to be retained for the stated times.

Note: If required, you can change the standard data retention settings by using Sysdig’s REST API. A Sysdig support team or professional services member should assist, as there are a variety of storage and timeline implications to consider before making such a change.

Sysdig Monitor Retention Limits


Metrics data	10s : 4 hours 1min : 2 days 10 min : 2 weeks 1 hr: 3 months 1 day: 12 months
Events	Alert events: 30 days Custom events: 14 days or 10M (per account)
Captures	90 days

Sysdig Secure Retention Limits

	Essentials	Enterprise
Policy events	1M events or 90 days	same as Essentials
Activity audit	5 days	90 days
Benchmarks	30 days	90 days
Scan results The image eviction conditions above are applied simultaneously; the retention policy will trigger for the first one that matches.	Image data is kept for a maximum of 7 days. Sysdig Secure will retain a maximum of 3 tags per repository and a maximum of 3 different images per tag * Images used by a container that is monitored by a Sysdig agent (Runtime images) will always be kept, regardless of the limits above.	Image data is kept for a maximum of 90 days. Sysdig Secure will retain a maximum of 5 tags per repository and a maximum of 5 different images per tag * Images used by a container that is monitored by a Sysdig agent (Runtime images) will always be kept, regardless of the limits above.
Vuln Management Reports	14 days	same as Essentials
Captures	90 days	same as Essentials

* For example, consider an Essentials account with a combination of registry/repo:tag - (i.e. docker.io/alpine:3.12.1) that already contains three different image digests. If a new image digest is pushed to the same name, the oldest image will be evicted, regardless of its age.