To prevent the generated system event logs and dump files from filling up the hard disk, the log and dump files are automatically rotated when the maximum allowed file size is reached or when the maximum storage duration expires. As soon as the total size of the files exceeds the configured limit, the oldest files are automatically deleted.
The following types of system events are stored in the /var section of a Kaspersky NGFW device:
traffic_dump.pcapRotation works differently for different types of files:
/var section is exhausted."SystemMaxUse=" in journald.conf./var section is exhausted.A certain disk space quota is allocated for each file type (see the table below).
Maximum allowed file size
File type |
Maximum percentage of occupied space |
|---|---|
Network dump file |
The file size is determined by the specified packet capture duration in seconds or the maximum number of packets to be captured |
Core dump files |
10% |
Local system event files |
40% (not counted if system events are stored in RAM) |
Persistent security event files in |
15% |
Temporary security event files in |
15% |
Traffic dump files when IDPS signatures are triggered in |
10% |
You can find out how much disk space on the /var partition is allocated for other data and the remaining space on the /var partition allocated for log files and dump files by running the du command on the command line of the Kaspersky NGFW device.