STINGAR server maintenance
Once you have the STINGAR server configured and honeypots deployed, you will begin to collect attack data. This data is stored in the Elasticsearch database built into STINGAR. Depending on the number of honeypots you have deployed and how many attacks they receive, the data collected can quickly grow. Hence it is important to ensure your attack data is monitored and managed.
Data retention policy
By default, from Version 2.1 onwards, STINGAR's Elasticsearch database retains all attack data for 90 days, then retains it for a further 90 days in a "warm retention" state and finally deletes the data permanently after 180 days.
Modifying retention policy
This policy is defined inside Elasticsearch by a "Lifecycle policy" labelled as stingar_policy which you may edit. Firstly, open the kibana console from the dashboard page and navigate to the Stack Management link at the very bottom of the menu:
Navigate to the Index Lifecycle Policies page:
You will see four lifecycle phases defined Hot phase, Warm phase, Cold phase and Delete phase. The Warm phase is enabled and is set to 90 days, and the Delete phase is enabled and set to 180 days. You may manually changed these values and save the settings. Once you save the settings the new retention policy will apply to all attack data from now on.
Note
These default data retention settings are suitable for typical campus STINGAR installations, however, it is still possible to run into memory limitation problems based on your specific underlying hardware configuration or honeypot use case (please refer to FAQ/Runtime problems) for more tips on maintaining a stable STINGAR platform.
Preserving attack data
All attack data is stored inside the Elasticsearch database. You may backup the data or copy it to an external location using the Kibana/Elasticsearch menus.