Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhongNN
Contributor

Delete old file when disk space below ?

I just recently realized that my log partition never reach 52%

I set When disk space is below 20%, start deleting old files. So i just want to ask :

disk space meaning all partition or just log partition ? Example

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg_splat-lv_current 50G 13G 38G 26% /
/dev/sda1 291M 43M 234M 16% /boot
tmpfs 9.7G 3.8M 9.7G 1% /dev/shm
/dev/mapper/vg_splat-lv_log 1.3T 668G 651G 51% /var/log
cgroup 9.7G 0 9.7G 0% /sys/fs/cgroup

Looking at the output, Maybe the disk space is over 80%, right ? Because the vg_splat-lv_log partition is never reach 52%

so i cannot storage old log files

0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend

This is for log partition ! What about the old log files ? Can you see that every day, another old log is deleted ? Please also specify the configuration - as a GW usually logs to a SMS, /var/log space will not be diminished.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhongNN
Contributor

If this configuration only relevant to log partition, why does it only reach to 51% ?  I configure When disk space below 20 percent,start deleting old file, so it should reach to 80%, right. Currently i could see log for 2-3 days

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Whilst space currently looks fine, the following might be relevant here:

sk114114: Disk space management tools do not delete logs from previous Security Management versions

https://support.checkpoint.com/results/sk/sk114114

 

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

The percentages are relative to the partition itself, not to other partitions.
Which means your /var/log is at 51% of its capacity and should have plenty of space to store more logs.

PhongNN
Contributor

But the log partition could only reach to 51%, so i only see the logs for 2-3 days. If i uncheck this configuration, i saw the log can be increased further. You can see the picture which attached

0 Kudos
Amir_Senn
Employee
Employee

You also have daily log cleanup, saves 90 days of indexes and almost 10 years of logs.

Indexes are probably deleted and this cleans up some disk space + makes the logs unavailable in index mode but can still be opened manually.

If you want the cleanup to be only the emergency you can remove the daily retention. There's no right or wrong way to define this, it depends on personal preferences.

Kind regards, Amir Senn
0 Kudos
PhongNN
Contributor

Hi Amir, but I think the current configuration doesn't seem right, because the logs were deleted even before the threshold is reached,I am currently setting the threshold at 80% ( The option When disk space is below i set 20 percent)

0 Kudos
PhoneBoy
Admin
Admin

I recommend getting the TAC involved to assist in troubleshooting this issue.

0 Kudos
Amir_Senn
Employee
Employee

I advise to do 2 things:

1) Check if you ever used extended policy (which overrides the one in SmartConsole). You can check it if you have log_policy_extended.C under $FWDIR/conf/ . If you have an example it's ok.

2) Log policy is updated when we install DB. Install DB on the log server/MGMT and check fwd.elg . Look for loaded set and working set values and see if they fit you log policy. 

If you don't have any extended policy, the loaded set is what you set from SmartConsole and should be the working set.

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events