We are frequently getting log messages deletion emails from PAM. Database log purging is turned off in our systems on the Configuration > Logs > Automatic Log Purge page.
Can you please help us understand the reason for these logs being deleted from PAM? What is the impact?
Privileged Access Manager, all versions
There is a maximum number of records defined for the session log, which is stored in a database table. This number is 250,000 in recent PAM releases. Once that number is exceeded, a logwatch process running on the appliance will start purging rows regardless of how the automatic log purge settings are configures on the Configuration > Logs > Automatic Log Purge page. This is to protect the appliance against a disk full condition due to ever growing session logs. By default the utility checks the session log size every 24 hours and deletes 4,000 rows at a time.
There is another check done every 5 minutes for a second limit that can be anywhere between 82,000 and 250,000, but in most cases will be one or the other. On virtual PAM instances it likely will be 250,000 for in current releases, in which case the log purge emails could be received any time of the day, separated by a multiple of 5 minutes, plus any processing time needed to check the table size between the sleep intervals. If the next check finds that the limit is exceeded by more than 4000 records, you may receive multiple emails containing 4,000 messages each within a short time.
If the option "Require Email be Sent Before Purge" is checked on the Automatic Log Purge configuration page, the 24-hour check will not delete log entries if they cannot be sent by email to the Admin Email address configured on the Configuration > Monitor > General Monitoring Parameters page. The 5-minute check however will delete the oldest 4000 records anyway to protect against uncontrolled DB growth. In that case, old entries would be removed without having a backup saved in an email attachment.
In a cluster environment the limit applies to each node. Every log message is tagged with the ID of the node that wrote it since PAM release 3.3. Because the database is shared, the common database table may contain more than 250k entries.