Online and Offline Audit Data
Online Audit Data
The online audit entries are maintained online based on the values specified for the maxEntriesOnlineAuditData and DaysOnline parameters of the audit subsystem.
See also Searching Audit Messages for optional parameters of the QueryAuditHistory service and Exporting Audit Data for information on using the ExportAuditData service to export the JSON file.
Offline Audit Data
Offline audit data provides a storage location for audit data that you do not need to access often but that you want to keep for administrative purposes. The archive operation copies online audit data to offline storage.
The retention criteria for the audit subsystem specify the number of days to retain audit data online and the threshold for the number of rows in the online audit data table. As of v.8.5.0 of the ThingWorx Platform, the archive operation no longer deletes data that meet either of the retention criteria. Instead a separate purge operation deletes this data if either criteria is met.
The export operation calls the ArchiveAuditHistory service, which copies the requested data from the AuditArchiveFileRepository to the specified export file.
Archive and purge operations are automatic and run daily by default. The online audit messages are persisted to files that are stored in the AuditArchiveFileRepository of the audit subsystem. You cannot configure this repository.
Offline in this context means that the audit messages can no longer be filtered or searched, and that they are no longer stored in the database.
The offline files are archived without localization. An offline reader service, called ExportAuditData, is available to retrieve them, based on a specified locale. See Exporting Audit Data for more information.
The hierarchy for offline archive files follows:
Hierarchy of Offline Archive
The dated folder is for the date of the Audit messages it contains, NOT the date that the archive was run. As shown in the diagram above, the format of the dated folder name is YYYY-MM-DD (ISO 8601) format, with a new folder for every day of audit messages. The "Offline Audit Chunks" are in a zipped JSON file that contains audit messages for that date. The default chunk size is 50,000 rows (the minimum size). A system administrator can change the default size of chunks in the configuration of the audit subsystem. For example, the system administrator could specify a chunk size of 70,000 rows. A zipped chunk file would exist for that many rows of messages in the dated folder. If every audit entry were ~1KB, the size of a chunk file would be around ~70MB unzipped or in memory.
Data Retention and Performance
To maximize performance, a balance of online audit data and offline data storage is required. The audit subsystem provides both archiving and purging operations to help you achieve the optimum balance for your system. You can use the following properties of the subsystem to control the retention of online audit data:
DaysOnline — The archive operation checks the DaysOnline parameter of the audit subsystem to determine which audit messages should be archived and which should remain available online. The DaysOnline parameter specifies how may days’ worth of audit data should be retained online. The default number of days to retain online audit data is 60.
maxEntriesOnlineAuditData — This threshold setting for the audit subsystem specifies the number of rows that can exist in the online audit data table before the purge operation is invoked.
The settings for these parameters determine how much audit data will be retained when the PurgeAuditData service runs (whether automatically as determined by the scheduler Thing or manually invoked). The ArchiveAuditHistory service archives all the online audit data. As long as the archive operation is scheduled to run first, online audit data that is older than the value of DaysOnline AND online data that exceeds the maximum online row count, are archived before the purge operation.