@rozkie20 @the_rock @PhoneBoy @Martin_Raska @Blason_R 

Lets start with not deleting the files, this will not cause major issues and you can always re-index the logs but I will explain everything and show best practices.

Here's a crash course:

Log indexing is happening without any relation to SmartEvent. It's enabled by default on every  dedicated log server and primary management server unless it's functioning as gateway as well or on weak machines.

Indexing is not only much faster, it allows to query multiple log files and query multiple log servers with custom timeframes. Not working with indexes will force you to work with log files.

This is enabled here:

The storage issue is common when not defining log policy. By default we have only emergency cleanup which is triggered by default when storage reaches 5 GB it will start deleting oldest logs and indexes. This was determined quite a while ago and if you do an upgrade it will retain this policy even if the default policy will be changed for newer installations.

Storing logs long enough will fill any amount of storage, just depends how long it takes as it just keeping piling up.

Each type of log is indexed into a different index core: firewallandvpn (~85-98% of your logs will be found here), audit (anything in the audit logs), other, smartevent, other-smartlog, resources (extended logging on Application Control and URL Filtering) and files (extended logging on Content Awareness).

What SmartEvent does (amongst other features) is to extend the indexing on existing indexes in order to create informational views and reports using SmartView. You can check the amount of storage it actually takes using "du -s $RTDIR/log_indexes/smart* | sort -n" .

The best way to control this is by defining daily log retention (on every server functioning as log server/SmartEvent):

Audit logs (since they're the drop in the sea and could be useful) are exempted from this.

Deleting index files will drop the relevant logs from query so for guidance I will ask the following:

How far back do I need to search for logs (this is the desired amount of time to keep indexes, maybe give a little extra for safety).

How long do I need to keep my logs? Recommended value should be equal to <days> - <index retention set> + safety.

You finish it up by installing database on all management servers (SmartEvent included).

Installing database is the equivalent of installing policy on gateways, so any changes you make for such servers - follow with this action.

It's possible that if you disabled SmartEvent but never installed database that server still thinks it needs to do it. Relevant processes on SmartEvent are CPSEMD and CPSEAD. If you can spot them on "cpwd_admin list" - you're running a SmartEvent server.

If somehow this still happens, you can use the SK below and define extended log policy that can define different time to retain specific index cores.

sk117317 (How to configure log / log indexes maintenance policy for Global SmartEvent Server / Log Server and MDS / MLM)