Thanks @Amir_Senn
That gave me some ideas, suggesting sk117317 it mentions log_keep_on_days which when I look at $FWDIR/conf/log_policy.C which does have value set at 3650 which ties in with your 10 years comment but in sk123532 it says that value is not applicable for R80.x (I presume that also means R81.x). At the beginning of sk117317 it says to look at the logging & monitoring guide for R80.40+ but don't see any CLI config and seems to only have min disk space values as options in GUI. My main intention of trying to work this out is so that I can show auditors that we keep these audit logs for X days like I can easily for the traffic logs.
I'm showing them in smartconsole > log server > log settings > Daily logs retention configuration > Keep indexed logs for no longer than X days / keep log files for an additional X days. The audit logs are going back much further than the days specified there.
I wonder if even though log_keep_days_value isn't supported anymore would the delete_after (3650) value still apply?
:log_keep_days_value (3650)
:index_delete_older_than_value (3650)
:index_delete_older_than (false)
:logs_distribution (false)
:maintenance_items (
: (
:type (audit)
:delete_after (3650)
)
: (
:type (files)
:delete_after (3650)
)
: (
:type (firewallandvpn)
:delete_after (3650)
)
: (
:type (other)
:delete_after (3650)
)
: (
:type (other-smartlog)
:delete_after (3650)
)
: (
:type (resources)
:delete_after (3650)
)
: (
:type (smartevent)
:delete_after (3650)
)