Create a Post
Showing results for 
Search instead for 
Did you mean: 

Need help exporting log data from R80.10 MS


I upgraded management to R80.10 on December 19, 2017.  My new log server now is 93% full and I realize now after reading the Logging and Monitoring R80.10 Administration Guide, it is mostly useless.  I am trying to be objective here and not overly critical but there is only one sentence in this admin guide about managing logs:

"SmartEvent and Log Server use an optimization algorithm to manage disk space and other system resources. When the Logs and Events database becomes too large, the oldest logs and events are automatically deleted to save space."

No, deleting is not managing.  I have been copying off log files since R61 but now the logs are in database format and not flat files so it would be very helpful if I could learn how to get it done.  It is very likely this will only need to be done once - very soon I will have syslog running to a 5TB log server.


I like the idea about getting logs from Endpoint Management Server R77.30.03 into the R80.10 platform to unify all threat management.

Any help will be appreciated, best regards,


0 Kudos
2 Replies

Archiving log files works exactly the same way it worked in R61 and much earlier releases: Copy off the fw.log* files.

Yes, there is additional indexing and correlation that is done, but those indexes can be rebuilt when the logs are reimported into a system.

0 Kudos

Bear in mind rebuilding indexes can be painfully slow and resource intensive. We tried to import logs after R80 upgrade from R77.30 by copying back fw.log files and it took 3 days to import one week of logs... That's whilst processing new logs arriving from gateways. At the end we have up as MLM became useless.

So in short yes - you can archive the same way as before but be mindful about rebuilding indexes Smiley Happy or use old school tracker to view old logs Smiley Happy