Log data management and how it works

Log data management keeps the number of logs at a reasonable level and prevents log files from filling the storage space.

Log entries are stored in log files on the Log Server. Audit entries are stored on the Log Server or Management Server that originally created them. If these files are never removed, they eventually fill up the storage space on the Log Server or Management Server. In the properties of the Log Server and the Management Server, you can optionally specify what happens when the log storage is full. For the Log Server, an alert is automatically sent when the amount of log and audit data on the Log Server exceeds 75% of the total storage capacity.

You can manage the log data in the following ways:

  • Configure logging options in rules to prevent unnecessary log entries from being created.
  • Export log data so that it can be used elsewhere.
  • Copy log data to an archive location.
  • Delete old or unnecessary log data.
  • Set up automatic log management tasks to run automatically at regular intervals for exporting, copying, and deleting selected data.
  • Discard irrelevant log entries by pruning some of the log entries before they are stored on the Log Server.

This illustration demonstrates how log pruning filters are used in log data management.

Figure: Log pruning

The engines send their logs to their configured Log Server. The Log Server either stores the log entries or just relays them to be viewed immediately in the Current Events mode in the Logs view. Some logs might be discarded through pruning before these operations. When you view logs, the information is fetched directly from the Log Servers. Some other tasks, such as processing data for statistical reports, are also partially carried out by the Log Server.

You can prune log entries in two phases using Immediate Discard filters and Discard Before Storing filters. Immediate Discard filters delete log entries as they arrive to the Log Server. The Discard Before Storing filters delete log entries before the log entries are stored on the Log Server.
Note: Alert entries and audit entries cannot be pruned.


Only the logs in the active storage are used in reporting. If you archive logs, you can still view them in the Logs view, but they are no longer available when you generate reports.

Alert and audit logs cannot be pruned.