Understanding how the "Archive log files that are older than" setting works
search cancel

Understanding how the "Archive log files that are older than" setting works

book

Article ID: 245097

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

In the SMP Console under the Settings menu > All Settings >Notification Server > Notification Server Settings > Logging tab, there is this setting called "Archive log files that are older than" as seen here:

What does this setting do?

Can this setting be used to keep the Notification Server (NS) logs for a longer period of time, like six months (180 days) worth of NS logs?

Environment

ITMS 8.x

Resolution

The "Archive log files that are older than" setting archives NS logs that meet the criteria based on the time range selected in this option. By default this setting is turned off.  As example, the default setting is "1 days" .

When the scheduled task "NS.NS Log Archive Schedule.{4754ff9c-911b-4d67-9eb0-4d530fb456ab}" executes at 05:00 AM, it will archive all available NS logs that are older than 1 day and remove them from the folder "C:\ProgramData\Symantec\SMP\Logs" so there will be no duplicate logs remaining for the next day's Archiving logs task execution:

All daily archived logs will be stored in the "C:\ProgramData\Symantec\SMP\Logs\Archive" folder, and for example if there are 200 log files with each being 2mb in size, then their zipped summary size will be ~44mb.

All these zipped logs can be successfully drag-and-dropped into an opened Altiris Log Viewer and reviewed (no need to unzip them to see them in the Log viewer).

Note: After 1 year there will be a lot of archived log files on the NS, so you should manually delete any outdated archived logs from the "C:\ProgramData\Symantec\SMP\Logs\Archive" location. The NS doesn't have functionality to purge outdated archived NS log files.

The need to keep 6 months worth of logs depends on the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Event Logging\LogFile\MaxFiles" registry value, otherwise if logs aren't yet archived they will be overwritten when the "MaxFiles" size is exceeded.

It can be understand that 200 log files with size 2mb each log file, will not be overwritten on SMP Server per 1 day (If there is no additional trace/verbose logging enabled and this SMP Server isn't a Parent SMP server of other 4-6 Child SMP servers), therefore you can set to archive logs every 1 day (or if the you know that there will be ~200 log files after 2-3 days on SMP Server, then set to archive logs after every 2-3 days then instead of every day).

There currently isn't another way to accomplish this purpose to have 6 months NS logs retained on NS.  The only way is to maybe change the "MaxFiles" reg key and adjust the Logs Archiving schedule execution by doing the following:

  • On the system click Start > Run > Regedit, and drill down to the appropriate Reg Key:
  • Notification Server:  HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Event Logging\LogFile
  • Agent:  HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Event Logging\LogFile
  • Right-click and modify the following, or create them if they do not exist:
    • MaxSize  (DWORD in Kilobytes)
    • MaxFiles  (DWORD)
Powered by Wolken Software