These log files sizes are monitored against the defined file size threshold in the product. If the file size exceeds the threshold, the log file is archived to the log archive directory through log rotation. You can define the log file size between 1 MB and 999 MB. The default size is 10 MB.
Log rotation happens on 2 scenarios: • When the log file size reaches the defined threshold. • When the isectpd (product) services are restarted.
In addition to these 2 scenarios, log rotation also happens: • When the product is shut down normally. • If the product is stopped under abnormal circumstances, log rotation does not happen. • When you start the product after the abnormal process termination, logs are appended to the older log file.But if the older log file size is greater than the threshold, the log file rotation happens first. The product then starts writing to a fresh log file. • Log rotation also happens in real time when the product's active log size exceeds the defined threshold.
Every time a log file is rotated, it also checks the log archive directory size. If the directory size exceeds the threshold, it deletes the oldest file. The threshold of the log archive directory is 5 times of the limit defined in the product. For example, if the product uses the default limit of 10 MB, the log archive directory threshold is 5*10 = 50 MB.
These thresholds are also applied to each log archive-related directory (such as isecoasmgr, isecscanfactory, or isecodscollector) in the following directories: • /opt/isec/ens/threatprevention/var/ • /opt/isec/ens/esp/var/
The archived logs are automatically deleted when the total size of the log archive directory exceeds the threshold (default limit * 5 times). Each process of Endpoint Security for Linux Threat Prevention has its own dedicated archive log directory. If one of these directories exceeds the threshold (default limit * 5 times), the software deletes the oldest log file in that directory. The oldest log file is the file that contains the smallest number in its secondary name. After deleting the oldest log file, the process again checks the log archive directory size. If the directory size is still greater than the threshold, the software again deletes the oldest log file from the existing files. This cycle continues until the directory size becomes lesser than the threshold value (default limit * 5 times).
For example, the log files names in the log archive directory are isectpd.log, isectpd.log00000, isectpd .log00001, isectpd.log0000. Isectpd.log is the oldest log file in the Active Directory. isectpd.log00000 is the next older file, then the next older file is isectpd.log00001. But, when log rotation deletes the oldest log file Isectpd.log, it no longer appears in the archive directory, and the isectpd.log00000 becomes the oldest log file. If Isectpd.log and isectpd.log00000 are deleted, isectpd.log00001 becomes the oldest log file. If any process is never started or never executed (for example On-demand scan is never used), then its log file and log archive directory's size or age does not change.