Determine the Log Retention Period Using the Alert Logic CLI

The Alert Logic® command line interface (CLI) can be used to determine the log retention period for your account. This query works for customers with Alert Logic Professional or Enterprise in the Managed Detection & Response (MDR) platform, as well as for Alert Logic Cloud Defender and Log Manager® customers.

To use this query, you must first download and install the Alert Logic CLI and add your credentials.

Note: Alert Logic Cloud Defender and Log Manager customers can also view their log retention period in the Alert Logic console at the Support menu () > Support.

Determine Your Retention Period

To determine your log retention period, execute:

alcli --query entitlements subscriptions get_entitlements --product_family log_data_retention --account_id accountID

For example:

alcli --query entitlements subscriptions get_entitlements --product_family log_data_retention --account_id 12345678

Sample output:

[
    {
        "account_id": "12345678",
        "end_date": 1893456000,
        "id": "95CB2C05-3917-4D58-6084-17AA6061C3F8",
        "product_family": "log_data_retention",
        "status": "active",
        "subscription_id": "E4D22FC8-BE22-5FF9-C91F-B499559AED76",
        "value": 25,
        "value_type": "months"
    }
]

In this output, the “value” and “value_type” define the retention period, for example 25 months as shown above. If no value is returned, the log retention period is the default of 13 months.

Understanding Log Retention Period

Log messages will be deleted no later than the end of the log retention period, and no sooner than one month before this. For example, for a log retention period of 13 months:

• Log messages will be removed after no more than 13 months
• Log messages will be retained at least 12 months—one month before the log retention period.

The current implementation of log message expiration begins expiration on the first day of each month. Log messages due to be expired by the end of that calendar month will be removed sometime during the course of that month. The timing of that process is not specified, other than that it will occur within this time frame.