Archive Logs Using Schedule Log Archival

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

You can set up a schedule that automatically archives log records on a recurring basis. During archiving, log records are either copied or deleted from the internal database and written to a flat, comma-delimited file. By archiving, you maintain a history of all tasks performed, such as logon attempts and Security Console operations. Archive jobs can run automatically on specified days, weeks, or months.

If you do not set up a batch job schedule, the default job, named Archive Audit Logs Job, runs every day at 1:00 a.m. An archive log job slows system performance, so schedule recurring jobs during off-peak hours.

The system creates one file in addition to those you define. After the system-created file fills up, the oldest file is deleted and a new file is created. This means that you always have the number of files you defined plus one.

To schedule a log archive job to run once, see Archive Logs Using Archive Now.

Before you begin 

You need to determine:

  • The directory where the archived logs are stored. You can export archived logs to any one of the following directories:

    • Local Authentication Manager Server

    • Windows Shared Folder

    • NFS (Network File System) Shared Folder

  • Credentials to access the Windows Shared Folder, or NFS Shared Folder.

  • How long you want logs to remain in the database and in the archive. Consider your organization's audit trail requirements, and disk space available for both the database and archive.

  • How often data will be archived

  • How much disk space is available

  • How much data is being archived

  • How you will access the logs if you need them

  • How large you want log files to be

You also need to have write access to the Windows Shared Folder or NFS Shared Folder.

Procedure 

  1. In the Security Console, click Administration > Archive Audit Logs > Schedule Log Archival.

  2. In the Job Starts field, enter the date when the job starts.

  3. In the Frequency field, enter how often the job will run (daily, weekly, monthly, and which months and days).

  4. In the Run Time field, enter the time when the job is scheduled to start.

  5. In the Job Expires field, enter the date when the job will stop recurring. This date cannot be earlier than the Job Starts date. If you do not want to set an expiration date, select No expiration date.

  6. Select the appropriate options for administration, runtime, and system messages. The job can handle one, two, or three types of log messages.

    • Log Archival Options. Select a task for this archive job:

      • Purge and export online log data stored for more than a specified number of days.

      • Export online log data stored for more than a specified number of days. After exporting, you can allow the logs to remain in the database or purge the logs from the database.

      • Purge online log data stored for more than a specified number of days.

      • Not purge or export online log data.

    • Export Directory. Do one of the following:

      • Select Local Authentication Manager Server. The archived log is stored on the appliance.

      • Select Windows Shared Folder to save the archived logs on a Windows shared folder. Do the following:

        In the Windows Shared Folder field, enter the path to an existing Windows shared folder, for example, \\example.com\Log_archive_folder.

        Enter the user name to the shared folder in the Folder User Name field.

        Enter the password to the shared folder in the Folder Password field.

      • Select NFS (Network File System) Shared Folder. In the NFS Shared Folder field, enter the path to an NFS server and file directory, for example, fileserver.rsa.com:/Log_archive_path.

    • Validate Log. When this option is selected, the system validates the log file and creates a *.sig file in the same folder as the log file. The *.sig file always has the same filename as the *.log file.

    • Days Kept Online. Enter the number of days that you want to keep logs in the internal database. When a log expires, the system purges the log from the database, and exports the log to the export archive if recurring log archive jobs are configured for export.

      The system subtracts the Days Kept Online value from the current time and rounds the result to the nearest 00:00:00 according to Coordinated Universal Time (UTC). Log data is kept online until that time. Therefore, depending on your time zone, log data may be kept longer than the value that you specify, or log data may be purged before this value is reached.

    • Days Stored Offline. Enter the number of days that you want to keep logs in the export archive. When a log expires, the system deletes it from the export archive.

      Logs for each day are archived to a file that is named for that day. Log entries on that day between UTC times 00:00:00 a.m. and 11:59:59 p.m. are archived to the file for that day. If the number of files exceeds the Days Kept Offline value, older files are purged.

  7. Click Save.

Related Concepts

Log Archives

Related Tasks

Archive Logs Using Archive Now

 

 


Attachments

    Outcomes