Re: Log rotation in R80.10

Dan_Lynch · ‎2017-11-21

We recently replaced an R77.30 management server with R80.10. Since then our configured log rotation schedule is being ignored. We have it set to rotate firewall log files on Tues and Thurs at 11pm, but it's *also* rotating the log files at every midnight. Is this a new "feature"? (If so, it doesn't exist in any documentation anywhere.) Can it be over-ridden? I want no more than two log files per week.

Thanks

PhoneBoy · ‎2017-11-21

This was discussed in a previous thread: Disabling the built-in Logswitch on R80 SMS at midnight?‌

It's also confirmed in the following SK: R80.x Security Management/Log Server runs logswitch nightly at 12:00:00 AM

Dan_Lynch · ‎2017-11-21

SK119794 is literally the only place this behavior is mentioned. It's not included in the Security Management Admin guide, the Logging and Monitoring Admin guide, the R80 intro (sk108623), the R80 Known Limitations (sk108624), nor in any of the logging kb articles I can find. Even though it apparently affects all versions 80.x, it went completely undocumented from R80's release in March of '16 until sk119794 was published in Aug. of '17.

That's rather disappointing.

PhoneBoy · ‎2017-11-21

While I agree this could have been documented sooner, I am curious about the specific use case where only two log files a week is desirable.

Note that by default, all logs are indexed in R80.x, which reduces the need to reference a specific log file, such as was required with SmartView Tracker.

Dan_Lynch · ‎2017-11-22

Tracker is sometimes preferable to SmartLog. Twice weekly is simply a good balance for us between query speed and having relevant/recent log entries available. In addition, our data retention policies require us to separately archive firewall logs for 60 days. It's easier to manage eight log files/month than 30. I'd prefer four, but they get unwieldy large.

PhoneBoy · ‎2017-11-22

Understand that while the binaries for SmartView Tracker are still included in R80 and R80.10, it has been deprecated and may be removed in a future release.

If there is specific functionality that you can't achieve in SmartLog R80.x, it's worth a separate thread to discuss.

victor_vidal · ‎2018-09-25

I have just upgrade our Provider-1 to R80.10 and I had discovered this topic.

Reading SK119794 I assume there is a logswitch at midnight ¿and/or at 2Gb?

On the other hand, we are storing logs for at least 2 years due to legal requirements.

If SmartView Tracker may be removed in a future release, which could be the best practice to store logs?

PhoneBoy · ‎2018-09-25

Yes, we auto-switch at midnight and/or 2GB, whichever comes first.

You can still archive the logs the same way as with previous releases (i.e. copy off the files from $FWDIR/log) and they can be read in and reindexed.

Maarten_Sjouw · ‎2018-09-26

Dameon,

I noticed this behavior was also occurring on Audit logs now, can you disable those separately?

1 audit file is mostly more than enough per Domain.

Regards, Maarten

PhoneBoy · ‎2018-09-26

These log rotations cannot be disabled to the best of my knowledge.

Alex_Tasker1 · ‎2018-03-15

I'm certain that there are intermediate cases but I have a use case where any log switching at all is unnecessary and inconvenient - CMAs which don't receive traffic logs. These can go for years without the .adtlog getting too large.

I'm here because I have a script which reports on policy install operations etc and now will have to enhance it to determine which files to iterate over for a given period.

... unless it's possible to query SmartLog from the command line?

PhoneBoy · ‎2018-03-15

Logs are currently not queryable through the CLI.

If you want to see when the gateway last received a policy (either through fetch or push), the command cpstat -f policy fw (from the gateway) will tell you.

Are you a member of CheckMates?

Log rotation in R80.10