Appliance Administrators can configure SPP to perform weekly maintenance, audit log purge, and audit log archiving to a designated archive server. Archiving audit logs allows you to keep critical and relevant data online and current while eliminating or archiving audit logs that are no longer required.
The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance.
The default Audit Log Maintenance configuration is to synchronize data and audit logs only on Saturday at 12 a.m.
|
CAUTION: Audit Log Maintenance locks the cluster. The operations can take hours depending on the amount of audit log data on the appliance, the amount of data being archived/purged, and the network between the synchronizing nodes in the cluster. If configured to delete audit logs, each appliance will enter maintenance and be unavailable for approximately 5 minutes at some point during the audit log maintenance window. |
View Audit Log Maintenance settings
- While connected to the primary appliance, go to Audit Log Maintenance:
- web client: Navigate to Backup and Retention > Audit Log Maintenance.
- If configured, the following displays:
- Archive: The archive server, if required by the operation.
- Action: The action defined in Audit Log Maintenance.
- Schedule: A description of the schedule, such as Every Saturday at 12:00 AM.
- Next Scheduled Maintenance: The next time the scheduled maintenance will run.
- Last Successful Archive/Purge: The local time of the last successful archive or purge.
- Last Failed Archive/Purge: The local time of the last failed archive or purge.
- Last Audit Log Sync: The local time of the last audit log synchronization.
- Last Data Sync: The local time of the last data synchronization.
Configure and schedule Audit Log Maintenance
To define and schedule Audit Log Maintenance, configure the following. For a cluster, configure the primary appliance. Each action will take some time to process. The cluster is locked during the process and other cluster operations cannot be performed. You can check progress in the Activity Center..
- While connected to the primary appliance, go to Audit Log Maintenance:
- web client: Navigate to Backup and Retention > Audit Log Maintenance.
-
Click Settings to configure Audit Log Maintenance .
- On the Audit Log Maintenance dialog, select an action:
- Synchronize data and audit logs only (default action): Data and audit logs are synchronized. If any data fails to synchronize, synchronize will run again on the next day at the configured Start time. Audit logs are not archived or purged from the appliance.
-
Synchronize after archiving and deleting audit logs older than __ days. Audit logs older than the number of days specified will be archived to the specified archive server by the primary. Next, those audit logs will be removed from each node, requiring a short maintenance on each. Purged audit logs cannot be recovered. The default is 365 days. The minimum is 30 days and there is no maximum. The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance. This option is only available if you have configured an archive server. For more information, see Adding an archive server.
- Enter the days. Audit logs older than the number of days specified will be archived and then purged from the appliance(s). The default is 365 days. The minimum is 30 days and there is no maximum. Cluster enrollment could take longer if higher retention values are used. Data is also synchronized.
- Select a configured archive server in Send to archive server. Audit logs are archived to the specified archive server during a scheduled audit log maintenance or when Run Now is selected.
- Synchronize after deleting audit logs older than __ days. Audit logs older than the number of days specified will be purged from the appliance(s). Purged audit logs cannot be recovered. The default is 365 days. The minimum is 30 days and there is no maximum. The benefits of purging audit logs include smaller backups and less audit log data to stream when enrolling a new cluster member. It is recommended you store no more than six months of audit logs on your Safeguard appliance.
- Set the schedule for Audit Log Maintenance to run:
- Select the Day of the week. The default is Saturday.
- Click Time select the Start Hour. The default is 12:00 a.m.
- Select the time zone. The default is Coordinated Universal Time (UTC).
- Click OK.
Monitoring the progress of Audit Log Maintenance
Audit Log Maintenance automatically runs the configuration settings and schedule you enter. You can also manually select to run Audit Log Maintenance. Check the results in the Activity Center based on the action. If you need to cancel the operation at any point, follow the steps in Cancel Audit Log Maintenance from the Audit Log Maintenance page
- Synchronize data and audit logs only (and not perform archive and delete):
- Processing and successful completion: Audit log maintenance synchronize has both a data and audit log sync component. These only do work in a cluster. At the beginning of the operation, the cluster is locked for "ensuring data consistency". This can be viewed on both the Audit Log Maintenance summary and in the Settings > Cluster Management.
The start of data synchronization is recorded with a SynchronizingDataStarted event. Upon completion, the SynchronizingDataCompleted event reports if all data was successfully synchronized or if only a portion completed. Next, the start of the audit log synchronization is recorded with the SynchronizingAuditLogStartedEvent. Upon completion, the SynchronizingAuditLogCompletedEvent will report if all audit logs were successfully synchronized or if only a portion complete.
In order to ensure every appliance has consistent data and audit logs, synchronize must successfully synchronize all data every week. - Failed portions: If the complete events indicate not all sync was successful, the sync will trigger the following day at the configured start hour and retry failed portions.
- Processing and successful completion: Audit log maintenance synchronize has both a data and audit log sync component. These only do work in a cluster. At the beginning of the operation, the cluster is locked for "ensuring data consistency". This can be viewed on both the Audit Log Maintenance summary and in the Settings > Cluster Management.
- Synchronize after archiving and deleting audit logs older than __ days:
- Processing: Audit log archiving selects all the audit logs after the purge date to archive. At the beginning of the operation, the cluster is locked for Archiving and/or purging audit logs. Audit log maintenance will proceed with the purge only if the archive is successful. On each appliance, the purge operation will determine if there is data to purge. If so, the replicas will enter maintenance one at a time to purge the data. Each appliance should be in maintenance for less than five minutes. Once complete, the primary will purge while in maintenance. The cluster lock will be released. Audit log maintenance will now proceed to the synchronize operations as detailed in the bullet above.
- Successful: When the archive is successfully sent to the archive server, it will generate an ArchiveTaskSucceeded event. If purge is required and successful, it will generate the AuditLogPurged event. The cluster lock will be released and the SchedulerJobSucceeded event will mark the end of the archive/purge operations. Audit log maintenance will continue on to synchronize as detailed above.
- Failed: If the primary appliance is unable to archive the audit logs, there will be no ArchiveTaskSucceeded event and there will be no subsequent purge. The data will remain on all appliances. The archive/purge operation will complete with a SchedulerJobFailed event containing Job ID = core.AuditLogMaintenance. You can see the reason for the failure in the event. Audit log maintenance will continue on to synchronize as detailed above.
- Synchronize after deleting audit logs older than __ days:
- Processing: Audit log purging enumerates all the audit logs after the purge date to delete from each appliance in the cluster. The data cannot be recovered. At the beginning of the operation, the cluster is locked for Archiving and/or purging audit logs. On each appliance, the purge operation will determine if there is data to purge. If so, the replicas will enter maintenance one at a time to purge the data. Each appliance should be in maintenance for less than five minutes. Once complete, the primary will purge while in maintenance. The cluster lock will be released. Audit log maintenance will now proceed to the synchronize operations as detailed in the bullet above.
- Success: If purge is required and successful, it will generate the AuditLogPurged event. The cluster lock will be released and the SchedulerJobSucceeded event will mark the end of the archive/purge operations. Audit log maintenance will continue on to synchronize as detailed above.
- Failed: If the primary appliance is unable to delete the audit logs, the operation will complete with a SchedulerJobFailed event containing Job ID = core.AuditLogMaintenance. You can see the reason for the failure in the event. Audit log maintenance will continue on to synchronize as detailed above.
Manually run Audit Log Maintenance
You can manually run Audit Log Maintenance. The same operations detailed above based on the Audit Log Maintenance configuration execute. Each action will take some time to process. The cluster is locked during the process and other cluster operations cannot be performed. You can check progress in the Activity Center..
- While connected to the primary appliance, go to Audit Log Maintenance:
- web client: Navigate to Backup and Retention > Audit Log Maintenance.
- Click Settings to ensure the Audit Log Maintenance configuration is correct.
- Click Run Now to run Audit Log Maintenance as configured. You will be presented with a confirmation dialog box. How you proceed will depend on the action you selected:
- If the action is Synchronize data and audit logs only (and not perform archive and delete), the Synchronize Data and Audit Logs dialog box displays.
- Type in Synchronize in the text box then click OK. To monitor progress in the Activity Center, see Monitoring the progress of Audit Log Maintenance.
- If the action is Synchronize after archiving and deleting audit logs older than __ days, the Archive dialog box displays with the name of the archive server.
- Type Archive in the text box and click OK. To monitor progress in the Activity Center, see Monitoring the progress of Audit Log Maintenance.
- If the action is Synchronize after deleting audit logs older than __ days, the Purge Audit Log dialog displays indicating that the audit log will be purged according to the retention policy (the number of days you entered). Purged audit logs cannot be recovered.
- Type Purge in the text box and click OK. To monitor progress in the Activity Center, see Monitoring the progress of Audit Log Maintenance.
- If the action is Synchronize data and audit logs only (and not perform archive and delete), the Synchronize Data and Audit Logs dialog box displays.
Cancel Audit Log Maintenance from the Audit Log Maintenance page
When Audit Log Maintenance is running, the cluster is locked and a Cancel button is available. When you click Cancel, you will be presented with an Unlock Cluster confirmation dialog. Enter Unlock Cluster and click OK. The cluster lock is released immediately, however you must monitor Activity Center as follows to ensure the operations are complete. For more information, see Monitoring the progress of Audit Log Maintenance.
- Synchronize data and audit logs only: When you cancel, the lock is release immediately, however you must monitor Activity Center for completion of the work. In the Activity Center, wait for the SynchronizingDataCompletedEvent then the SynchronizingAuditLogsCompletedEvent to appear before proceeding with other clustering operations to ensure all nodes in the cluster hold all of the audit data. Once canceled, the cluster will try and complete the audit log synchronization on the Audit Log Management Start Hour on the next day.
- Synchronize after archiving and deleting audit logs older than __ days: When you cancel, the lock is release immediately, however you must monitor Activity Center for completion of the work. If you elect to cancel while the cluster is locked for Archiving and/or purging audit logs, monitor Activity Center for the SchedulerJobSucceeded or SchedulerJobFailed event, containing Job Id = core.AuditLogMaintenance, indicating the archive/purge has completed. Audit Log Maintenance will continue to synchronize regardless. You will also need to cancel once you see the cluster is locked for Ensuring data consistency. Monitor the Activity Center for the SynchronizingAuditLogCompleted event indicating the operation completed. It is now safe to continue with your clustering operation.
- Synchronize after deleting audit logs older than __ days: When you cancel the lock is release immediately, however you must monitor Activity Center for completion of the work. If you elect to cancel while the cluster is locked for Archiving and/or purging audit logs, monitor Activity Center for the SchedulerJobSucceeded or SchedulerJobFailed event, containing Job Id = core.AuditLogMaintenance, indicating the archive/purge has completed. Audit Log Maintenance will continue to synchronize regardless. You will also need to cancel once you see the cluster is locked for Ensuring data consistency. Monitor the Activity Center for the SynchronizingAuditLogCompleted event indicating the operation completed. It is now safe to continue with your clustering operation.
To cancel Audit Log Maintenance from Cluster Management
You can also cancel Audit Log Maintenance from Cluster Management by unlocking the cluster with the following steps. For more information, see Unlocking a locked cluster.
- Go to Cluster Management:
- web client: Navigate to Cluster > Cluster Management.
- On Cluster Management, a banner like the following displays: Archiving and/or purging audit logs and the Start Time displays. The message reminds you that the cluster is locked during the process and other cluster operations cannot be performed. The cluster will unlock automatically when the operation is complete.
- Click the lock icon in the upper right corner of the warning banner.
-
In the Unlock Cluster confirmation dialog, enter Unlock Cluster and click OK.
This will release the cluster lock that was placed on all of the appliances in the cluster and close the operation.
IMPORTANT: Care should be taken when unlocking a locked cluster. It should only be used when you are sure that one or more appliances in the cluster are offline and will not finish the current operation. If you force the cluster unlock, you may cause instability on an appliance, requiring a factory reset and possibly the need to rebuild the cluster. If you are unsure about the operation in progress, do NOT unlock the cluster.