Archive Logs Using Archive NowArchive Logs Using Archive Now

You can run a job to archive log records on a one-time basis. When the job runs, logs are either copied or deleted from the internal database and written to a comma-delimited flat file. By archiving, you maintain a history of all system events, such as logon attempts and Security Console operations.

The system creates one file in addition to those you define. After the additional file fills up, the oldest file is deleted and a new file is created. This means that you always have the number of files you defined plus one.

To schedule a recurring log archive job, see Archive Logs Using Schedule Log Archival.

Before you begin

You need to know:

• The directory where the archived logs are stored. You can export archived logs to any one of the following directories:

  • Local Authentication Manager Server

  • Windows Shared Folder

  • NFS (Network File System) Shared Folder

    Note: If you are using a Windows share, RSA Authentication Manager 8.4 requires the SMBv2 or SMBv3 protocol. SMBv1 is no longer supported.

• Credentials to access the Windows Shared Folder, or NFS Shared Folder.

• How long logs remain in the database and in the archive. Consider your organization’s audit trail requirements and disk space available for both the database and archive.

• How much disk space is available

• How much data is being archived

• How you will access the logs if you need them

• How large you want log files to be

You also need to have write access to the Windows Shared Folder or NFS Shared Folder.

Procedure

1. In the Security Console, click Administration > Archive Audit Logs > Archive Now.

2. Select the appropriate options for administrative, runtime, and system messages. This job can handle one, two, or three types of log messages.

   • Log Archival Options. Select a task:

     • Purge and export online log data stored for more than a specified number of days.

     • Export online log data stored for more than a specified number of days. After exporting, you can allow the logs to remain in the database or purge the logs from the database.

     • Purge online log data stored for more than a specified number of days.

     • Not purge or export online log data.

   • Export Directory. Do one of the following:

     • Select Local Authentication Manager Server. The archived log is stored on the appliance.

     • Select Windows Shared Folder to save the archived logs on a Windows shared folder. Do the following:

       In the Windows Shared Folder field, enter the path to an existing Windows shared folder, for example, \\example.com\Log_archive_folder.

       Enter the user name to the shared folder in the Folder User Name field.

       Enter the password to the shared folder in the Folder Password field.

     • Select NFS (Network File System) Shared Folder. In the NFS Shared Folder field, enter the path to an NFS server and file directory, for example, fileserver.rsa.com:/Log_archive_path.

   • Validate Log. When this option is selected, the system validates the log file and creates a *.sig file in the same folder as the log file. The *.sig file always has the same filename as the *.log file.

   • Days Kept Online. Enter the number of days that you want to keep logs in the internal database. When a log expires, the system purges the log from the database, and exports the log to the export archive if recurring log archive jobs are configured for export.

     The system subtracts the Days Kept Online value from the current time and rounds the result to the nearest 00:00:00 according to Coordinated Universal Time (UTC). Log data is kept online until that time. Therefore, depending on your time zone, log data may be kept longer than the value that you specify, or log data may be purged before this value is reached.

   • Days Stored Offline. Enter the number of days that you want to keep logs in the export archive. When a log expires, the system deletes it from the export archive.

     Logs for each day are archived to a file that is named for that day. Log entries on that day between UTC times 00:00:00 a.m. and 11:59:59 p.m. are archived to the file for that day. If the number of files exceeds the Days Kept Offline value, older files are purged.

3. Click Archive Now.