Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
chico
Contributor
Jump to solution

Logs indexation 30 days R80.20 Take 87

Hello everybody,

I would like to generate some security reports but I can generate reports with only 30 days retentions. I changed the option to do not delete the index files older than 30 days.

I follow the process as mentionned in the SK sk111766  and configured the ./log_indexer -days_to_index <NUM_OF_DAYS_TO_INDEX> to 90 days but nothing as changed when I generate a report.

Logs_storage_SMS.png

 

logIndexer.png

If someone had the same issue and have find a solution ?

Regards,

 

Campos Miguel

 

 

1 Solution

Accepted Solutions
chico
Contributor

Hello Dror Aharony,

Thank you for your reply, I'm just restarted the indexer service but nothing changed. I find an another SK for run SmartEvent Offline Jobs for multiple logs "sk98894" but I don't understand the difference with the SK sk111766.

I send you the result from the doctor-log.sh

Thank you a lot for your feedback

 

Miguel

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
Have you verified that you have 90+ days of logs to index?
If so, then you may want to involve the TAC.
0 Kudos
chico
Contributor

Hello,

Where can I check that ?

0 Kudos
PhoneBoy
Admin
Admin
$FWDIR/log
A new log file is created daily at midnight and when a log file gets to 2GB in size.
The log files are named by date, so you should be able to see how far back your logs go.
0 Kudos
Sigbjorn
Advisor
Advisor

The index file adds more space usage on top of the log files, so make sure you have enough free space available, or the oldest log will be deleted according to your policy.

chico
Contributor

Hello,

Yep, I already check this point, I have enough espace disk.

 

Regards,

Dror_Aharony
Employee Alumnus
Employee Alumnus

Hi chico,

to Index older log-files up-to 90 days, you look to have configured it properly, assuming you restarted the Indexer (stopIndexer; startIndexer or evstop;evstart).

You definitely have enough space to avoid the 'emergency' min maintenance, more than 15% of Logs=/var/log/ partition (if I see it properly on your pic)?

 

if still doesn't work, Email me with output of:

$RTDIR/scripts/doctor-log.sh

 

 

Dror Aharony (drora@checkpoint.com)

0 Kudos
chico
Contributor

Hello Dror Aharony,

Thank you for your reply, I'm just restarted the indexer service but nothing changed. I find an another SK for run SmartEvent Offline Jobs for multiple logs "sk98894" but I don't understand the difference with the SK sk111766.

I send you the result from the doctor-log.sh

Thank you a lot for your feedback

 

Miguel

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events