Description This article quickly describes what information is stored in the eventDB (for non Elastic Storage type deployments).
Scope All versions of FortiSIEM
Solution FortiSIEM stores all inbound events from external devices under the following folder path: /data/eventdb/CUSTOMER_1/default
Example:
# ls -l /data/eventdb/CUSTOMER_1/default
total 3408 drwx--S--- 4 admin admin 4096 Apr 29 16:59 18016 drwx--S--- 4 admin admin 4096 Apr 30 17:00 18017 drwx--S--- 4 admin admin 4096 May 1 16:59 18018 drwx--S--- 4 admin admin 4096 May 2 17:00 18019 drwx--S--- 4 admin admin 4096 May 3 18:43 18020 drwx--S--- 4 admin admin 4096 May 4 17:00 18021 drwx--S--- 4 admin admin 4096 May 5 16:59 18022 drwx--S--- 4 admin admin 4096 May 6 16:59 18023 drwx--S--- 4 admin admin 4096 May 7 16:59 18024 drwx--S--- 4 admin admin 4096 May 8 16:57 18025 drwx--S--- 4 admin admin 4096 May 9 16:59 18026 drwx--S--- 4 admin admin 4096 May 10 16:59 18027 drwx--S--- 4 admin admin 4096 May 11 16:59 18028 drwx--S--- 4 admin admin 4096 May 12 16:58 18029 drwx--S--- 4 admin admin 4096 May 13 17:00 18030 drwx--S--- 4 admin admin 4096 May 14 16:57 18031
This folder path contains all the historical information written from external devices in the product for historical queries. The folder is organized by a number based on the following formulate [EPOCH TIME] / 86400. The folder's time is always Midnight +0 GMT.
In order to calculate the timestamp: 1) take the folder number: ie 17547 (this is under /data/eventdb/CUSTOMER_1/default/) 2) then multiply by 86400 (seconds per day) 3) take the result: 1516060800 4) utilize an epoch timestamp converter: for example here 5) plug it in and click "Timestamp to Human Date"
The result will be: Tuesday, January 16, 2018 12:00:00 AM.
This is the date on which the data were placed in that folder (based on GMT+0 time).
