we are allowed to keep the logs (events and flows) for 30 days, only. But I case of cases, the chosen data of backups 3 months should be restoreable.
The idea is as follows:
backup of conf and data is done once at night (done)
set retention time of logs and flows to 30 days (done)
a script moves the file to a remote server and are kept there for 90 days (done)
can be combined with a GPG key pair to avoid unrestricted access
Question 1: For the cases of analysises of security events in the past, we want to restore older data. In case of restoring the backup (e.g. 48 days ago), do I do an entire time journey (worst case) or are the captured data of the previous 47 days still available (best case)?
Question 2: We have separated collectors, processors, data nodes and consoles. Do we have to restore all data serving hosts (processors, data nodes, consoles) at the same time?