This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 log file deletion

Hi everyone,

I wonder if anyone can offer some assistance on the local logging on the UTM9?

I set the thresholds for the local logging to alert at 85% full and delete the oldest logs at 90%. It seems to now be getting to 90% and then only deleting enough to go under that which seems to fill up again quite quickly (thus constantly alerting me). I have just set the logs to delete anything older than a year (the max you can go up to) expecting this to go ahead and remove older logs but it doesn't seem to have done that. Is this something that it will do, or is it a flag set on logs from this point onwards?

Thanks very much.



This thread was automatically locked due to age.
  • I have a similar issue in relation to the auto deletion settings.

    My settings are the same

    When usage reaches 85% do this: Send notification  

    When usage reaches 90% do this: Delete oldest log files

    When usage reaches 95% do this: Nothing (as it shouldn't ever reach this level)

    I get a number of [INFO-153] messages from every day depending on how busy the appliance is.

    It appears from the log entries (below) that this process only runs once a day and as the OP suggested it does not seem to delete enough logs to create space for a day's worth of logs to be stored.

    2017:05:05-00:00:33 utm-2 logcleaner[17521]: INFO: Activated space dependent deletion!
    2017:05:05-00:00:33 utm-2 logcleaner[17521]: INFO: - /var/log (usage: 90% blocks, 1% inodes) triggered threshold 2 (90%), action: delete
    2017:05:05-00:00:55 utm-2 logcleaner[17521]: [WARN-711] Log files have been deleted
    2017:05:05-00:00:55 utm-2 logcleaner[17521]: INFO: * action succeeded, finished.
    2017:05:05-00:00:55 utm-2 logcleaner[17521]: INFO: * deleted 194 files and/or directories 

    Edit:

    Interestingly I do not seem to be sent a [WARN-711] email to indicate that the logs have been deleted even though configured to do so in the Notifications settings.

    I subsequently found that I had been recieving the [WARN-711] messages, they are quite informative as they include an attachment detailing all deleted files.

    It seems to me that the text in the do this: drop down boxes do not accurately describe the behaviour that is triggered when the threshold is met. And that the help description also does not accurately describe what happens.

    It would be useful to be able to set a percentage target to be met when the threshold for deletion is reached.

    When usage reaches XX% do this: Delete oldest log files to reach YY%

    e.g.

    When usage reaches 90% > delete log files to reach 85% used space.

    Bringing this down to just below the threshold seems a bit limiting to me, however if the current behaviour was what a customer wanted/needed then they could set it as follows based on my suggestion.

    When usage reaches 90% > delete log files to reach 90% used space.

     

    As I have recently set the UTM to copy logs to a remote location this ensures that I can manage these copies based on their age for these files using whatever approach I feel like on the remote storage system, however as there is no (easy?) way to copy all of the historical old log files from the UTM to remote storage.

    Once my retention requirement has been met on the remote storage copy I would be able to set the appliance to delete logs after an amount of time, although this does mean that searching these logs would have to be done by something less easy than the UTM built in search features.

  • Hi QA, and welcome to the UTM Community!

    What size hard drive are you using?  Which logs are too big?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA