Applies to platform: UTM All, Mini ARM All
Last Update: 15 July 2015
This lesson shows the behaviour of the logging system on an Endian UTM Appliance.
Storage of log files on the Endian UTM Appliance
All the log files in the Endian UTM Appliance are stored in the /var/log/ directory and the disk space they occupy is displayed in the Dashboard. when the disk space exceeds 90%, the oldest log files are deleted to make room for the new ones. To learn how to make a backup copy of the log files, you can follow this guide.
Tuning the logging capabilities
From the command line it is possible to customise the behaviour of the logging daemon by means of two variables.
To modify them, log in to the console and edit the file /var/efw/logging/settings. The two variables and their values are:
- LOGS_REMOVE=off. By default this value is not present, so you need to add it. When set to off, the system will not delete any log file. When this option is set, the alternate behaviour is set (see next section).
- LOGS_FREE_PERCENTAGE=10. Default is 10%, meaning that the oldest log files are deleted when the free space is less than 10%, until there is at least 10% space availlable. You may want to change it to ensure that more disk space remains free. It is strongly suggested that this value be at least 5%.
The alternate behaviour
If you do not like Endian UTM Appliance's logging mechanism, or if for any reason you don't want the automathic deletion of the log files, you can use the alternate behaviour (which is Linux' standard mechanism) by simply adding the LOGS_REMOVE=off line to the /var/efw/logging/settings file.
In this case, you should also activate the notification (either via sms or by email) for the "Disk Full" event, in order for you to save older log files and free space for the new log files. A lesson that explaines how to set up notification can be found here.
The efw-syslog package in details
The default behaviour of syslog, in any Linux box, is to stop logging and writing messages to the log files when the partition hosting the /var/log/ directory runs out of space. Since this behaviour can cause many problems to the system and the inability of the sysadmin to track down and identify issues happening to the system, it has been decided that newer versions of the efw-syslog package have a different behaviour than standard Linux systems: Whenever the partition hosting /var/log has more than 90% of space used, the oldest log files are deleted to make room for the new ones. In this way, you should not be worried anymore of the space available on the partition. As previously said, however, this behaviour, can represent a problem if you want to keep all log files, but do not realise in time that there is no more space. If this new behaviour doesn't fit your needs, you can revert to the standard one from the command line, but in this case you must take care of the space available in the partitions, so that syslog can always write log files. The packages that employ the automatic deletion of the oldest log files are: efw-syslog-2.6.5-1.endian9.noarch.rpm (2.4-ARM), efw-syslog-2.9.8-1.endian9.noarch.rpm (2.5).