cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
chico
Nickel

Logs indexation 30 days R80.20 Take 87

Jump to solution

Hello everybody,

I would like to generate some security reports but I can generate reports with only 30 days retentions. I changed the option to do not delete the index files older than 30 days.

I follow the process as mentionned in the SK sk111766  and configured the ./log_indexer -days_to_index <NUM_OF_DAYS_TO_INDEX> to 90 days but nothing as changed when I generate a report.

Logs_storage_SMS.png

 

logIndexer.png

If someone had the same issue and have find a solution ?

Regards,

 

Campos Miguel

 

 

1 Solution

Accepted Solutions
chico
Nickel

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution

Hello Dror Aharony,

Thank you for your reply, I'm just restarted the indexer service but nothing changed. I find an another SK for run SmartEvent Offline Jobs for multiple logs "sk98894" but I don't understand the difference with the SK sk111766.

I send you the result from the doctor-log.sh

Thank you a lot for your feedback

 

Miguel

View solution in original post

0 Kudos
7 Replies
Admin
Admin

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution
Have you verified that you have 90+ days of logs to index?
If so, then you may want to involve the TAC.
0 Kudos
chico
Nickel

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution

Hello,

Where can I check that ?

0 Kudos
Admin
Admin

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution
$FWDIR/log
A new log file is created daily at midnight and when a log file gets to 2GB in size.
The log files are named by date, so you should be able to see how far back your logs go.
0 Kudos
Sigbjorn
Nickel

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution

The index file adds more space usage on top of the log files, so make sure you have enough free space available, or the oldest log will be deleted according to your policy.

chico
Nickel

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution

Hello,

Yep, I already check this point, I have enough espace disk.

 

Regards,

Employee+
Employee+

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution

Hi chico,

to Index older log-files up-to 90 days, you look to have configured it properly, assuming you restarted the Indexer (stopIndexer; startIndexer or evstop;evstart).

You definitely have enough space to avoid the 'emergency' min maintenance, more than 15% of Logs=/var/log/ partition (if I see it properly on your pic)?

 

if still doesn't work, Email me with output of:

$RTDIR/scripts/doctor-log.sh

 

 

Dror Aharony (drora@checkpoint.com)

0 Kudos
chico
Nickel

Re: Logs indexation 30 days R80.20 Take 87

Jump to solution

Hello Dror Aharony,

Thank you for your reply, I'm just restarted the indexer service but nothing changed. I find an another SK for run SmartEvent Offline Jobs for multiple logs "sk98894" but I don't understand the difference with the SK sk111766.

I send you the result from the doctor-log.sh

Thank you a lot for your feedback

 

Miguel

View solution in original post

0 Kudos