all about logging...

Can someone verify for me some information about logging? I need to store logs on a 12 month rotation but I only want what I really need. In other words am I storing redundant information?

questions:

1. Where do the tabs in my ERAC store log files? Are the Threat\Firewall\Event\Scan logs all stored in the database?

2. Does the same information from these tabs get logged if I have "log to a test file" enabled?

3. Where do my reports pull their information from? The database? The text logs?

4. What is the difference between the server maintenance option for deleted logs and the logging option for deleting logs?

 

The logs themselves are kept in the "storage" folder of your ERAS, the database contains pointers to the various dat and log files that it pulls the data from when you access the various tabs. I'm not familiar with the log to a test file option, but I have a feeling that it will dump all of that info in to a single text file to parse in addition to normal logging operation. Reports are built off the data queried from the logs and then saved to the "Reports" folder of your ERAS. Server maintenance is cleanup of the logs that the actual clients create (threats, scan logs, whatever), where the logging tab is for logging of the actual ERAS service and any errors or notifications that might generate.

Just as a suggestion, you may want to enable NTFS compression on the Storage folder of your ERAS, since it is mostly text files it can compress at around a 4:1 ratio.

 

I apologize... mistype.. I meant log to a text file... it's under the logging tab

basically I have my logging enabled and have the selection log to a text file checked. I know these logs are stored on my E: drive. Is the application actually pulling information from these logs and displaying on the screen or is that "storage" folder different?

and... thanks for your reply as always.. you have really helped me out...

 

Okay, so.... the "storage" folder is an actual folder. I see .dat files in these folders I am assuming this is the information displayed in the tabs. Does the information in these tabs also get written to the text files if you have "log to text file" enabled?

 

No, anything under the logging tab only related to functions performed by the ERAS services themselves, not actions taken by the clients. The log to text file option generates a single log file telling you operations and errors taken through your console (updating mirror signatures, pushing out configurations or policies, things like that) and does not contain info on individual clients. If you are having problems with your server misbehaving, this is the log file you will look at to help diagnose it.

Client log data is automatically written to the files in the storage folder and that feature cannot be fully disabled. This is the data that populates the various tabs of your console. You can only limit how much is kept there by tuning the server maintenance options.

 

AhHa!

The light is flickering now.. thank you for the clarification.

One more question... what is the standard procedure for backing up client logs? Can I just back up the storage folder?

 

I just let a weekly backup to tape job take care of mine. If you only back up the storage folder, you will have a big mess of log/dat files but they won't reference against any events in the console and will be essentially orphaned. You are better off backing up the entire ESET Remote Administrator\server directory which will capture your database (assuming you used the defaults), storage, policies, and reports and preserve those linkages between the events that are stored in the database to the data about those events that is kept in the various storage directories.

 

Thank you so much for all of your help!

 

Oh.. sorry 1 more thing if you don't mind. What is the purpose of the log to OS application log? If I am already getting my log information from the storage folder and displayed in my console?

 

It will dump those events to the application event log. Its nice, in my opinion, because the event log is easier to pick through for errors instead of the built-in log viewer. And its really nice if you have something that aggregates the event logs on all your servers automatically.

 

Do you know if it is possible to export all of the logs? For example if I had to rebuild my database but had to retain 12 months of logs...