Powerscale: How to Remove Audit Log Files

Summary: This document describes a support method to remove audit log files.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Introduction

In OneFS 7.1 and later, SMB/NFS auditing generates audit logs for the user-defined SMB/NFS events. After the audit logs are written, the logs are forwarded in an asynchronous fashion to the configured Common Event Enabler (CEE) server. The CEE server then forwards the logs to the defined auditing application endpoint.

Audit logs are retained indefinitely. The logs are stored in the /ifs/.ifsvar/audit directory and the following subdirectories, where nodeXXX is the node ID (for example, node001):

  • /ifs/.ifsvar/audit/logs/
  • /ifs/.ifsvar/audit/logs/nodeXXX
  • /ifs/.ifsvar/audit/logs/nodeXXX/protocol

After auditing is enabled on the cluster, all audit logs are collected in the listed protocol subdirectories. Audit logs continue to be collected if the audit function is enabled and later disabled. The audit subsystem collects and stores audit information in binary files, which can grow to approximately 1 GB in size. When a binary file reaches 1 GB, data is rolled over to the next file and retained forever. The files cannot be moved to another location.

 
Note: The binary files can only be read using the isi_audit_viewer command, check article Isilon: How to view audit logs on OneFS? (Log in as a registered user may be required to view this article.)

Note: If auditing is disabled for a long period, then enabled at the start of audit logging collection, every log file must be sent to the CEE server for processing. This process can take some time if there are many files, and system performance might be slowed as a result.

All historical logs are sent to the CEE server when audit is enabled. Real-time events are sent asynchronously after historical logs are sent and processed. As a result, current audit events is delayed by historical log processing and are not initially displayed in the audit application.

 

In addition to the physical files on disk, OneFS maintains a temporary cache of audit messages before the messages are written to disk. The default maximum-allowed cache is 2048 messages. To view the current cache settings, run the isi audit topics view protocol command.

 
Note: Starting with OneFS 9.1 audit purging or deletes was made possible, reference pages 16-18 in the Auditing Best Practices Guide.
 

If you are running OneFS 8.x to 9.0.x, contact PowerScale Technical Support since removing the audit log files is limited to PowerScale Technical Support staff.

Affected Products

Isilon, Isilon 108NL, Isilon NL-Series, PowerScale OneFS, Isilon S-Series, Isilon X-Series, Isilon X200, Isilon X400
Article Properties
Article Number: 000167091
Article Type: How To
Last Modified: 12 Nov 2025
Version:  9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.