How to optimize InControl Log File storage

Last modified on 17 Feb, 2021. Revision 11
How to optimize InControl Log File storage by using settings related to how long logs should be kept.
Up to date for
InControl 2.33.00
Supported since
InControl 1.00.xx
Status OK

Description

In some environments handling many Firewalls, if InControl is configured to collect logs from these Firewalls, it’s entirely possible that storage space becomes an issue for log files. If storage becomes so limited that log files aren’t able to be stored, this can introduce behavioural issues to InControl in how it reads and processes logs. Of course, above all, if logs can no longer be saved, this also introduces the risk that potentially critical logs won’t be available when needed.

Objectives with this article

InControl can be configured in a few different ways to better make use of how log files are handled, and how this is achieved is entirely up to the user based on their needs. This article will discuss the 3 methods in which InControl can be configured to handle log file storage, retention time and methods in which logs can be saved away from the default location.

Optimisation Scenarios

Of the scenarios listed here, the thing to keep in mind is there is no real “fits all” solution. While best practices for each scenario are described, it’s entirely up to the user to decide on how to manage their storage solution for InControl log file storage.

For example, if resources are limited and only a small number of logs are required, then simply lowering retention time settings could be a good fit. However, if resources are available and extended logs are needed, then going with storing logs in a separate location with its own dedicated storage drive could be a good solution.

Change Retention Time to a lower value

This will need to be decided by the customer based on how many days/weeks/months worth of log files they wish to have stored. Default is set to 40 days, and lowering this time will clean up older log files by order of oldest first.

To do this, navigate to InControl Logging Agent, then configure, and select “Log Receiver” tab. Then, for “Retention Time”, change value for number of days/weeks/months as desired.


_ _

Manually delete archived log files from InControl’s Log Files Path

Navigate to InControl Logging Agent, then under “Log Receiver” tab, there will be a field for “Log Files Path”. This path can then be followed to where log files are stored, which will contain 2 or more folders depending on the number of Firewalls. This path also contains an “ila_analysis” folder, but this can be ignored as it stores processed log files which are used for Log Analyzer.


For each other folder, folders are titled with a long alphanumeric number, each relating to a firewall GUID handled by InControl. Inside each GUID folder, there can be a number of folders titled by year, month and date. The oldest ones are all archived, and the folder with the latest date contains archived and active files titled by ascending number, some ending in “.gz” and others ending in “.fwl”. The “.gz” files are archived log files, which are safe to delete, and files ending in “.fwl” are active log files still being written to, which should not be deleted.

_ _

Change location for Log Files Path to be stored

If a user wishes to store many log files that go back 40 days or more, and are limited in drive space for the machine InControl is installed on, they can choose to store log files in another place. This can be a network store or a separate drive dedicated for storing log files.

To do this, go to Logging Agents in InControl, then configure the Logging Agent and navigate to Log Receiver tab. Here there will be a “Log Files Path” field, which can be changed to any location which is either directly accessible by the machine InControl resides on (alternate folder or HDD) or a network share that machine has access to. For best practice, perform the following steps:

  1. For all firewalls configured with InControl, navigate to Log Files Path InControl is currently using. then make note of how many folders exist with a GUID.
  2. Modify Log Files Path to new location you wish to store log files to, click OK and allow Logging Agent to deploy.
  3. Monitor new Log Files Path folder and make sure it begins populating with folders containing a GUID. If you compare them to the old path, and assuming logs are being written by each firewall, you should see the same number of GUID folders in the new location as the old.
  4. If you wish to have access to the old log files, you can then move the archived folders as described in 2) and place them inside of their respective GUID folder.

Of the solutions above, #3 offers the most flexibility in terms of retaining access to older log files, as well as allowing for more storage space for later. This of course depends on whether or not it’s possible to introduce either a new storage hard drive into the machine that’s hosting InControl, or if that machine has access to network storage.

Related articles

How to disable IP Reputation in cOS Core
21 Mar, 2023 core ipreputation log
The TCP Window Scale Log Event
15 Nov, 2022 tcp log core
Automatically stop active PCAPdump or Logsnoop in the CLI
7 Dec, 2022 pcapdump log cli core logsnoop
Why some log category ID's are missing
23 May, 2022 core log logreceiver
The meaning of the Default_Access_Rule log entry
7 Nov, 2022 core arp log routing