Understanding how the "Archive log files that are older than" setting works
search cancel

Understanding how the "Archive log files that are older than" setting works

book

Article ID: 245097

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

In the SMP Console under the Settings menu > All Settings >Notification Server > Notification Server Settings > Logging tab, there is this setting called "Archive log files that are older than" as seen here:

How does this work?
What does this setting do?
Can this setting be used to "keep" the Notification Server (NS) logs for a longer period of time, like six months (180 days) worth of NS logs?

Environment

ITMS 8.x

Resolution

This setting archives NS logs that meet the criteria based on the time range selected in this option. By default this setting is turned off.  As example, we will use the default  "1 days".

When the scheduled task "NS.NS Log Archive Schedule.{4754ff9c-911b-4d67-9eb0-4d530fb456ab}" executes at 05:00 AM, it will archive all available NS logs that are older than 1 day and remove them from the folder "C:\ProgramData\Symantec\SMP\Logs" so there will be no duplicate logs remaining for the next day's Archiving logs task execution.

All daily archived logs will be stored in the "C:\ProgramData\Symantec\SMP\Logs\Archive" folder
--/// Checked that if there will be 200 log files with 2mb size, then their zipped summary size will be ~44mb.

All these zipped logs can be successfully drag-and-dropped into an opened Altiris Log Viewer and reviewed (no need to unzip them to see them in the Log viewer),

Note: After 1 year there will be a lot of archived log files on the NS, so a customer should manually delete outdated archived logs from the "C:\ProgramData\Symantec\SMP\Logs\Archive" location. The NS doesn't have functionality to purge outdated archived NS log files.

The need to keep 6 months worth of logs depends on the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Event Logging\LogFile\ "MaxFiles" registry value, otherwise if logs aren't yet archived they will be overwritten when the "MaxFiles" size is exceeded.

We understand that 200 log files with size 2mb each log file, will not be overwritten on SMP Server per 1 day (If there is no additional trace/verbose logging enabled and this SMP Server isn't a Parent SMP server of other 4-6 Child SMP servers), therefore Customer can set to archive logs every 1 day (or if the Altiris admin knows that there will be ~200 log files after 2-3 days on SMP Server, then set to archive logs after every 2-3 days then instead of every day).

We don't have any other way to accomplish this purpose to have 6 months NS logs retained on NS.  The only way is to maybe change a "MaxFiles" reg key and more often Logs Archiving schedule execution:

On the system click Start > Run > Regedit, and drill down to the appropriate Reg Key:

Notification Server:  HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Event Logging\LogFile

Agent:  HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Event Logging\LogFile

Right-click and modify the following, or create them if they do not exist:

  • MaxSize  (DWORD in Kilobytes)
  • MaxFiles  (DWORD)
Powered by Wolken Software