Archiving and Purging Online Audit Data (Data Table)
To archive online audit data, the Data Table implementation of the Audit Subsystem provides the service, ArchiveAuditHistory. This service can be run manually and should be run on a regular basis. You can configure the AuditArchiveScheduler Thing to run using a CRON expression. A CRON expression provides flexibility for setting up intervals.
The ArchiveAuditHistory service copies online audit data to offline archive zip files within the AuditArchiveFileRepository. For the Data Table implementation, the audit data is stored in the AuditArchive directory of the repository.
The archive operation of the Data Table implementation considers two parameters of the audit subsystem to determine when archiving is needed:
Number of days of online audit data to maintain controls how long audit data remains online. This parameter specifies the number of days that online data should remain in the online storage. The default number of days is 60. If you keep this default value, any data that is older than 60 days is automatically archived to offline storage and deleted from the online storage based on a scheduler.
maxEntriesOnlineAuditData controls the maximum number of rows that an audit table can hold. before online data is subject to being archived to offline storage. The default value of this parameter is 500000 rows.
Once an audit entry has been copied into the offline storage, it remains in the online storage for the number days configured for the Number of days of online audit data to maintain property of the Audit Subsystem. If you configure a scheduler for the archive operation, it runs automatically based on the schedule. If you run it manually, the archiving service takes a date parameter, called olderThanDate for specifying the earliest date to archive audit entries from online storage to a file within the configured Audit file repository.
When the AuditArchiveScheduler is configured to trigger the archive process daily at a specific time, the audit archive process starts every day, regardless of the outcome of the previous run. You do not need to restart Tomcat for the process to run the next day if it fails. If today's archive process does not complete by the next scheduled start time, the system does not stop any executions that are still running. Rather, it waits for that previous execution to complete before starting another one.
The archive operation does not delete any audit messages from the online data store. It just copies them to the offline data store. To delete online audit messages, you need to use the purge operation.
Purge Operation
To delete audit messages from the online storage, use the PurgeAuditData service. If enabled, the AuditPurgeScheduler controls when this service deletes audit data. This service deletes entries that are older than the days specified for the Number of days of online audit data to maintain parameter of the audit subsystem. The operation also deletes entries in an audit table whose size exceeds the maximum number of rows specified for the maxEntriesOnlineAuditData parameter of the subsystem.
The purge operation deletes only data that has been archived. If it finds some audit messages to delete that were not previously archived, it first archives them, and only after that deletes them.
Never disable the purge scheduler. Doing so prevents the system from periodically copying the online audit data to the offline repository and then deleting it. Allowing the online data to accumulate to a very high amount without periodic purge operations may eventually bring the platform down.
Was this helpful?