Disk space for logs and reports
The firewall stores reports, event logs, and troubleshooting logs in the /var
folder.
The folder also stores data related to other firewall components. These components are allotted individual space quotas based on their functionality.
The available disk space in the /var
folder depends on the following factors:
- Disk space allotted to the folder depends on the appliance model.
- Reports and logs consume space based on the frequency of network events and the settings you specify, such as the report retention period and troubleshooting logs' debug mode status. So, they take up more space with time and may run short of disk space in the lower appliance models.
Disk is nearly full
See how space is allotted to reports and logs and how the firewall processes them when the disk is nearly full.
Component and folder name | Disk space | When space is nearly full | Alert |
---|---|---|---|
Reports (reportdb_16 ) | Occupies the available disk space in the /var folder. | Stops saving reports. See Reports. | Firewall generates alerts by default. |
Event logs (eventlogs ) | A percent of the /var folder is allotted based on the appliance model. | Deletes older logs. Continues to log new events. See Logs. | No alerts. |
Troubleshooting logs (tslog ) | Specific disk space is allotted to each component based on the appliance model. Critical components are allotted more space. | Deletes older compressed log files. Continues to generate new logs. See Troubleshooting logs. | No alerts. |
Email quarantine (quarantine ) | You select the disk space under Quarantine settings on the web admin console. | Deletes older emails. Continues to quarantine new emails. See Quarantine area. | No alerts. |
Identify the cause for the full disk
To identify what's taking up disk space, do as follows:
- Make sure packet capture isn't running. It takes up disk space.
- If you copied any files into the
/var
folder, delete them. -
To check the space consumed by the components, use the following commands:
- Reports:
du -kh reportdb_16
- Event logs:
du -kh eventlogs
- Troubleshooting logs:
du -kh tslog
- Reports:
-
Check the following email components:
- Go to Email > Quarantine settings, and select the lowest disk area option for Email quarantine.
- Go to Email > Mail spool and click Retry or Delete to clear the emails.
How to manage disk space
Reports
We recommend that you follow our best practices to prevent the disk from becoming full.
Free up disk space
Keep track of alerts and purge reports if the disk becomes full.
-
Keep track of alerts using any of the following options:
- Monitor the Control center or the Log viewer for the alerts.
- Go to System services > Notification list and set up email and SNMP notifications.
-
Go to Reports > Show Reports settings and take one or all the following actions:
- Click Data management and select a lower report retention period for some or all modules.
- Click Manual purge and purge some or all reports for a certain period. See Manual purge.
Best practices
Follow the best practices to ensure that the /var
folder has enough disk space.
-
Configure Sophos Central firewall reporting as follows:
- Register for Sophos Central firewall management. See Sophos Central services overview.
-
Go to System services > Log settings and select Central reporting for the firewall modules.
The firewall sends event logs to Sophos Central, which generates and stores reports based on these logs. See Log settings.
-
Use the data storage estimation tool to check your storage requirements and evaluate the space plans in the reporting license in Sophos Central. See Firewall reporting storage by firewall model.
-
Specify shorter retention periods for reports in the firewall as follows:
- Go to Reports > Show Reports settings > Data management.
- Select the duration based on each module and your network and compliance requirements. See Data management.
- Click Apply.
Note
The duration you specify applies only to reports. It doesn't apply to logs.
-
(Optional) Turn off on-appliance reports. It turns off all reporting in the firewall. See .
Event logs
Log viewer shows the event logs. To minimize the disk space consumed by event logs, you can send the logs to external syslog servers and then turn off log storage in the firewall.
Go to System services > Log settings and take one or both of the following actions:
-
Configure syslog servers to send the logs to.
You can retain event logs for a longer duration based on your network and compliance requirements.
-
Turn off local logs for some or all modules.
- Select log suppression to reduce disk usage.
See Log settings.
Troubleshooting logs
Make sure you turn off debug mode. If you're troubleshooting an issue, download the log files you want and then purge the troubleshooting logs as follows:
-
Go to Diagnostics > Tools and download the logs using one of the following options:
- Troubleshooting logs
- Consolidated troubleshooting report
See Troubleshooting logs.
-
If you've turned on debug mode for any component, turn it off. See Check troubleshooting logs.
Troubleshooting logs take considerable space in debug mode. Turn it on only when you're troubleshooting. Turn it off as soon as you get the required logs.
-
Go to Diagnostics > Packet capture and make sure you've turned it off.
Turn it on only when you're troubleshooting.
-
If you continue to face a space issue for troubleshooting logs, purge all logs, the compressed logs, or logs for specific components. See Troubleshooting logs.