Log data management and how it works

Log data management keeps the number of logs at a reasonable level and prevents log files from filling the storage space.

Log entries are stored in log files on the Log Server. Audit entries are stored on the Log Server or Management Server that originally created them. If these files are never removed, they eventually fill up the storage space on the Log Server or Management Server. In the properties of the Log Server and the Management Server, you can optionally specify what happens when the log storage is full. For the Log Server, an alert is automatically sent when the amount of log and audit data on the Log Server exceeds 75% of the total storage capacity.

You can manage the log data in the following ways:

• Configure logging options in rules to prevent unnecessary log entries from being created.
• Export log data so that it can be used elsewhere.
• Copy log data to an archive location.
• Delete old or unnecessary log data.
• Set up automatic log management tasks to run automatically at regular intervals for exporting, copying, and deleting selected data.
• Discard irrelevant log entries by pruning some of the log entries before they are stored on the Log Server.

This illustration demonstrates how log pruning filters are used in log data management.

Figure: Log pruning

The engines send their logs to their configured Log Server. The Log Server either stores the log entries or just relays them to be viewed immediately in the Current Events mode in the Logs view. Some logs might be discarded through pruning before these operations. When you view logs, the information is fetched directly from the Log Servers. Some other tasks, such as processing data for statistical reports, are also partially carried out by the Log Server.