Discard unnecessary logs

Log data pruning allows you to discard some of the generated logs according to detailed filtering criteria you set.

Before you begin

If Domains are in use, you must log on to the Shared Domain.

You can manage the amount of log data by defining log pruning filters. Log pruning is needed, for example, when a rule generates both useful and unnecessary logs. Log pruning gives you the ability to discard newly generated irrelevant logs entries on the Log Server. Only logs can be pruned: alerts and audit entries are never pruned.

It is better to adjust log generation options instead of letting log entries be generated and then pruning them. Pruning log entries after they are generated wastes system resources by creating and transferring the unnecessary logs.

You can define two types of log pruning filters:
  • Immediate Discard filters delete log entries immediately as they arrive to the Log Server. The deleted log entries are not displayed in the Management Client.
  • Discard Before Storing filters deletes log entries before they are saved. Log entries are shown the Current Events mode in the Logs view before they are deleted. This option converts Essential or Stored type log entries to Transient log entries.
If Domain elements have been configured, log pruning filters can only be defined in the Shared Domain. The same log pruning filters are used in all Domains. Administrators who have the right to manage log pruning can view the log pruning filters when they are logged on to other Domains.
CAUTION:
Be careful when defining the pruning filters. The matching log events are irreversibly deleted at the Log Server.

You can prune log entries as soon as they arrive on the Log Server or before they are stored. When you prune log entries before they are stored, you can still view them in the Current logs view).

Use pruning with caution. The data is deleted without leaving any traces and there is no way to recover incorrectly pruned entries. Pruning also wastes resources compared to preventing the entries from being generated. Pruned entries still have to be created and transferred to the Log Server, and the Log Server still has to process them.

You can prune normal log entries; alert and audit entries cannot be pruned. The logs are pruned using log filters.
Note: Pruning has no effect on logs that have already been stored.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Menu > File > New Tab, then select Log Data Pruning.
  2. Select the tab of the log data type you want to prune.
  3. Select a log filter for pruning log data from the tree in the Resources pane. If you add several Log Filters, they are combined with a logical OR. Each filter is matched individually, so all logs that match any of the selected filters are deleted.
    To create a Filter, select New > Filter.
    CAUTION:
    Never select the Match All filter for log pruning. Pruning with the Match All filter irreversibly destroys all new logs that are created.
  4. Activate the pruning for the correct stage:
    • Click Add below the Immediate Discard field to prune logs before they are even shown in the Current Logs view.
    • Click Add below the Discard Before Storing field to show the log entries in the Current Logs view and then delete them before they are permanently stored.

    CAUTION:
    Any log entry that matches the filter you have selected is irrevocably deleted. The changes you make to pruning filters are applied immediately.
  5. A warning message is displayed. Click Yes to prune the selected log entries. This change is applied immediately without any further action.

Log Data Pruning view

Use this view to configure log data pruning. Log data pruning allows you to discard some of the generated logs according to detailed filtering criteria you set.

Option Definition
Resources Use this pane to create and add elements to the Log Data Pruning configuration.
Search Opens a search folder for the selected element list.
Up (Backspace) Returns to the previous folder.
New Opens the associated dialog box to create a new element.
Tools Show Deleted Elements — Shows elements that have been moved to the Trash.
The Log Data Pruning view has the following tabs:
  • FW Log Pruning
  • IPS Log Pruning
  • L2FW Log Pruning
  • Legacy SSL VPN Log Pruning
  • Authentication Log Pruning
  • RADIUS Accounting Log Pruning
Immediate Discard Shows the filters that cause logs to be immediately discarded.
Add Adds the filters selected in the Resources pane to the Immediate Discard list.
Tip: You can drag and drop the filters to the lists in this view.
Remove Removes the selected filters from the Immediate Discard list.
Discard Before Storing Shows the filters that cause logs to be discarded before storing.
Add Adds the filters selected in the Resources pane to the Discard Before Storing list.
Tip: You can drag and drop the filters to the lists in this view.
Remove Removes the selected filters from the Discard Before Storing.
Info pane Use this pane to view more information about the selected element. The available tabs depend on the type of element selected.