If the number of audit log entries stored in the Enswitch database becomes excessive, performance may suffer. This can be cured by archiving old entries.
Archiving audit log entries locally
If old entries are still required, they can be archived within the Enswitch database. This improves the performance of the audit report, but still makes the archived entries available to the system owner. To do this, change the "Table containing archived audit log entries" configuration setting to "audit_archive", then add an entry similar to the following to /etc/crontab:
39 3 * * * enswitch /opt/enswitch/current/bin/audit_archive 90
This archives entries older than 90 days every night at 3:39am.
Archived entries are moved from the audit to the audit_archive table within the Enswitch database. This improves performance by reducing the size of the indexes on the audit table, making the searches done by the audit report faster.
Archived entries are hidden from all users by default. It is possible to allow some roles to access them by granting the "Read archived data" role permission. This should be done with caution because it reduces the performance gains made by archiving, and should normally be limited to the system owner role.
Archiving audit log entries remotely
As an alternative to archiving audit log entries locally as above, entries can be moved to a remote database on another machine. THIS IS NOT SUPPORTED, AND NOT RECOMMENDED. IF YOU DO THIS, YOU ARE RESPONSIBLE FOR CONFIGURING AND MANAGING THE REMOTE MACHINE. YOU WILL NEED TO MERGE ANY SCHEMA CHANGES MADE BY FUTURE ENSWITCH UPGRADES. If you're sure you want to do this, the steps are:
- Contact Enswitch support and let them know you're doing this. They will disown any responsibility for what you're doing.
- Take a backup of the Enswitch database.
- If you've archived any entries locally, move them back to the audit table.
- Create the remote database, with the audit table. This table must have exactly the same schema as the Enswitch database. Note that if future versions of Enswitch change these schemas, you must manually change the remote database.
- Create a database user for the new database, and give them access to the audit table.
- Create "delete/audit/archive", "insert/audit/archive", and "select/audit/archive" handlers in /etc/enswitch/databases.ini.
- Change the "Table containing archived audit log entries" configuration setting to "audit".
- Restart the web server.
- Create a crontab entry, similar to the local archiving above, but for "/opt/enswitch/current/bin/audit_archive_remote".
- Run "/opt/enswitch/current/bin/audit_archive_remote <days>" manually.
- Check that the data in both databases is as you expect.
- Enable the "Read archived data" permission for any roles that may access archived entries. This should be done with caution because it reduces the performance gains made by archiving, and should normally be limited to the system owner role.