We have a policy of deleting GitLab log files after a certain number of days. This is not only to save disk space but also for privacy reasons. We don’t want to store personal data such as user IP adresses for long time periods. In fact the European data protection regulations allow us to store only data which is needed and for as long as it is necessary.
Recently we became aware that the GitLab database contains such quite a bit of personal data in form of Audit Events (Audit Events | GitLab), some of them apparently all the way back to the original installation date of our GitLab instance.
A few questions which come to mind:
- Are there any plans to make it configurable which data is gathered and for how long it is stored, similar to the logging settings in gitlab.rb? I didn’t find any configuration items for audit events.
- Are there any tools available to help in deleting all or selected event types which are older than a specific number of days/months/years?
- If we delete the audit events or some of their information (such as the IP adresses) directly from the GitLab database, will it affect tools such as “Vulnerability Report” and “Threat Monitoring” or break some other functionality?