JeremyNicoll

Log sizes, archiving logs, and archiving settings

Recommended Posts

I see the default size for the EIS log file is 300 records.  I know I can set a
higher number, or 0 for no limit.  If I alter the limit value upward does that
take effect immediately?

If I alter it downward to a non-zero value are records deleted immediately?  Or
would I be warned and/or given a chance to export them first?  If records are
deleted immediately, is it the oldest ones that go?

The GUI rather implies that the number one provides here is the total number of
log records, but I found when I increased the value from 300 to 1000 then later
exported settings and looked at them, that I had (in a2settings):

     UpdateLogSize=1000
     QuarantineLogSize=1000
     GuardLogSize=1000
     ScanLogSize=1000
     FirewallLogSize=1000

Does this really mean that the total size of the log is 5000?  Then again, there's
seven types of log data - so maybe 7000?  Why are there only five size settings?


I'm aware that the log data is held in a single file - an SQLITE database.  Can you
tell me if the on-disk file always contains the current log data - ie that after
each record is created the disk file is updated?

I am wondering how to archive logs, if the log database file is in use all the time
that EIS is running.  I know I can use your GUI to display each log in turn, click
on export, and save a file... but that's no use for a proper archiving scheme, run
under a scheduled task.  It seems to me that IF the on-disk SQLITE file supports
such a thing, an SQLITE utility that copies the open database file elsewhere then
dumps the contents of the copied file might be a good solution (and involve no work
on your part either...).

Does the way in which you've defined the database allow that?


Alternatively, can the developers PLEASE add a command-line option to force export
of all the log data to a specified directory?

Frankly, I would like the same thing CLI-driven option for saving all the current
settings, as well.

Share this post


Link to post
Share on other sites

If I alter the limit value upward does that take effect immediately?

Yes. The change is either written to both the configuration file and the database immediately, or upon closing the EIS window.

If I alter it downward to a non-zero value are records deleted immediately?  Or would I be warned and/or given a chance to export them first?

To my knowledge, they are deleted either immediately, or at least as soon as you close the EIS window. To be on the safe side, I would recommend making backups before lowering the value of the maximum number of log records.

If records are deleted immediately, is it the oldest ones that go?

Yes, it should always be the oldest that is deleted first.

The GUI rather implies that the number one provides here is the total number of log records, but I found when I increased the value from 300 to 1000 then later exported settings and looked at them, that I had (in a2settings):

     UpdateLogSize=1000

     QuarantineLogSize=1000

     GuardLogSize=1000

     ScanLogSize=1000

     FirewallLogSize=1000

Does this really mean that the total size of the log is 5000?  Then again, there's seven types of log data - so maybe 7000?  Why are there only five size settings?

The logs are saved in a local database. Each table has its own maximum number of rows, and the number you are tweaking in the UI just changes the maximum number of rows for the following types of logs:

  • File Guard/Behavior Blocker/Surf Protection
  • Scanner
  • Updates
  • Firewall
  • Quarantine
It does not attempt to divide the number you enter by the number of database tables it changes the value for, so when you enter 1000 into the field it sets the value for each table to 1000. Everything else kept in the local logs database stays at 300 regardless of what you set the value in the UI for.

Yes, the File Guard, Behavior Blocker, and Surf Protection are all in the same table (which is why you see GuardLogSize in the config file instead of a separate line for each). That means they are all added together (File Guard + Behavior Blocker + Surf Protection = current number of records in that table), and your maximum number of records needs to account for that if you want to keep older log entries for the Guards.

I'm aware that the log data is held in a single file - an SQLITE database.  Can you tell me if the on-disk file always contains the current log data - ie that after each record is created the disk file is updated?

To my knowledge, changes to logs are written to the database immediately (or at least without much delay after something is logged). You should be able to see this my monitoring the last modified date/time of Logs.db3 and then running an update or a scan to see when it updates. In my testing, when running an update, the last modified time changed as soon as the update process finished.

I am wondering how to archive logs, if the log database file is in use all the time that EIS is running.  I know I can use your GUI to display each log in turn, click on export, and save a file... but that's no use for a proper archiving scheme, run under a scheduled task.  It seems to me that IF the on-disk SQLITE file supports such a thing, an SQLITE utility that copies the open database file elsewhere then dumps the contents of the copied file might be a good solution (and involve no work on your part either...).

Does the way in which you've defined the database allow that?

You can use a utility that supports SQLite databases to open the Logs.db3 file and export it if you would like. A lot of the names in the file are abbreviations and shorthand, however you should be able to figure out the important parts. File Guard, Behavior Blocker, and Surf Protection log entries are in the "IDSLogs" section.

Alternatively, can the developers PLEASE add a command-line option to force export

of all the log data to a specified directory?

Frankly, I would like the same thing CLI-driven option for saving all the current

settings, as well.

I'll forward your feature request.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.