Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

Smart Event Log Indexes Deletion

Hello Checkmates,

Log indexes are not being removed from /var/log/opt/CPrt-R80.40/log_indexes on Smart Event server and consuming more than 50% of 1.2TB log partition.

Smart Event server version is R80.40 JHF GA Take 94.

du -h --max-depth=1 /var/log/opt/CPrt-R80.40 | sort -n -r
621G /var/log/opt/CPrt-R80.40
619G /var/log/opt/CPrt-R80.40/log_indexes
200M /var/log/opt/CPrt-R80.40/log_indexer
111M /var/log/opt/CPrt-R80.40/conf
20M /var/log/opt/CPrt-R80.40/Database
1.1G /var/log/opt/CPrt-R80.40/log
0 /var/log/opt/CPrt-R80.40/events_db
0 /var/log/opt/CPrt-R80.40/distri

Within /var/log/opt/CPrt-R80.40/log_indexes there are a lot of folders named audit_*, other_*, resources_* and smartevent_* (example below), that date back to March 2021.

audit_2022-04-06T00-00-00
other_2022-04-07T00-00-00
resources_2022-04-06T00-00-00
smartevent_2022-04-06T00-00-00

Daily log retention policy in Smart Console configured as below.
-Keep indexed logs for no longer than 14 days
-Keep log files for an extra 16 days.

Does sk117317 relate to this issue? Does a maintenance policy need to be configured on the server?

0 Kudos
5 Replies
the_rock
Legend
Legend

My honest opinion...yes and yes. But, I will let smart event gurus confirm.

0 Kudos
Amir_Senn
Employee
Employee

The SK is relevant only if you run global SmartEvent, if not just make sure you installed DB.

You can look at $FWDIR/log/fwd.elg to see what is the loaded policy (install DB for non-global SmartEvent or restart fwd process on global).

Kind regards, Amir Senn
0 Kudos
Simon_Macpherso
Advisor

Thanks @Amir_Senn. DB install was required after recent changes. 

0 Kudos
Ruan_Kotze
Advisor

Note that the SK is only applicable to Global SmartEvent / MDS.

I think the value configured on SmartConsole takes precedence, but it would still be worthwhile to check what the days_to_index value in your $INDEXERDIR/log_indexer_custom_settings.conf is.

0 Kudos
Simon_Macpherso
Advisor

There is no days_to_index value configured in $INDEXERDIR/log_indexer_custom_settings.conf. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events