Our logger re-started indexing yesterday morning which usually happens after reboot of the logger.
Which events exactly do I have to search for to make clear what really happened ?
We run the Logger appliance v18.104.22.16838.0
Unfortunately, I can't simply look in the /var/log/messages to search for the boot messages.
Events in the storage group "Logger Internal Event Device [Var Log Messages]" do not help.
Only messages like
Is it a normal behaviour for the Logger that after reboot the indexing begins from null ?
For instance, after the reboot in Sunday, the menu "Summary > Global Summary" looks like
There are 2,077,626 events indexed from 2013/10/20 08:36:38:426 CEST to 2013/10/21 13:11:00:024 CEST
In fact, the events have been logged since months, without aging out.
Sth different is written in the documentation:
Specifically, the Summary page contains the following panels:
The number of events indexed on your Logger during the time period displayed on the
screen. The time period is dependent on the retention policy of your Logger, where the
start and end times are the time of the oldest events stored on your Logger (that have
not aged out due to retention) and the current time, respectively."
Of course, I'm able to select events older than Oct 20.
The Release Notes for Logger 5.3 SP1 (page 15) describes this as a known issue.
"There is a known issue with the new Global Summary Persistence functionality in Logger 5.3 GA. This feature is designed to persist the statistics reported in the global summary section of Logger through a reboot. In some environments, disk space or server memory may be affected due to this feature. This release turns off the Global Summary Persistence functionality. As soon as possible, after upgrading to Logger 5.3 SP1, enter system maintenance mode and defragment the Global Summary table. Refer to the Logger 5.3 SP1 Administrator’s Guide for instructions".
For a regular reboot, the following event is logged:
This applies only to regularly initiated reboots. Which message should I search for if sbd simply turned off the power supply of the Logger ?
Thanks for your suggestion.
Unfortunately, after defragmentation of the Global Summary table and reboot of appliance, the problem still exists.
In the Global Summary, the indexing begins with the date/time of the reboot.
"There are 10,305 events indexed from 2013/10/21 14:23:54:516 CEST to 2013/10/21 14:30:26:462 CEST."
Millions of events logged before are not mentioned, although they are still kept in the logger.
Looking at the Logger Administrator Guide, Appendix C, Logger Audit Events, I don't know for sure if pulling the power cord would result in a
platform:282 7 /Appliance/State/Shutdown Appliance poweroff initiated
But when it comes back up, I would expect to see
platform:408 5 /Appliance/State/Startup Appliance startup completed deviceCustomDate1: Startup Date