To prevent the generated system event logs and dump files from filling up the hard disk, the log and dump files are automatically rotated when the maximum allowed file size is reached or when the maximum storage duration expires. As soon as the total size of the files exceeds the configured limit, the oldest files are automatically deleted.
The following types of system events are stored on the /var partition of a Kaspersky NGFW device:
Rotation works differently for different types of files:
"SystemMaxUse="
in journald.conf.A certain disk space quota is allocated for each file type (see the table below).
Maximum allowed file size
File type |
Maximum percentage of occupied space |
---|---|
Network dump file |
The file size is determined by the configured log length in seconds or packets |
Core dump files |
10% |
Local system event files |
40% (not counted if system events are stored in RAM) |
Persistent security event files in |
15% |
Temporary security event files in |
15% |
Traffic dump files when IDPS signatures are triggered in |
10% |
You can find out how much disk space on the /var partition is allocated for other data and the remaining space on the /var partition allocated for log files and dump files by running the du
command in bash on the Kaspersky NGFW device.