KB Article | Forcepoint Support

Problem Description

Why is there a 100000 log entry limit for SMC Log Analysis?


The Log Analysis arrangement provides various tools to analyze and visualize log data. For example, you can combine logs by service or situation, sort logs by column type, or view the data as charts or diagrams.

The various tools make it easier to notice patterns and anomalies in traffic.

When you enter Log Analysis mode, a maximum of 100000 log events is placed in the Log Server’s memory. Selection is performed by applying filters and selecting a time range in the Logs view.

NOTE: Live log analysis is opened by clicking Analyze (live).

Log Analysis for the Current Events live logs view only applies to a maximum of 100 log events

A limit for processed logs is required because Log Analysis data is handled in memory and the Log Server may also be performing several other operations. 

IMPORTANT: Log Analysis operations will slow down as the number of events rises.
To modify the maximum number of log events available to Log Analysis:
  1. On the Management server, open the file <installation folder>/data/SGConfiguration.txt in a text editor of your choice.
  2. Add a line to define the maximum number of log events in Log Analysis
  3. Save the changes. The change is applied the next time the SMC services are restarted.

    NOTE: Although you can increase the maximum number of events for Log Analysis, the number should remain limited. If after you change the value, you suffer memory-related errors or slowness with other operations, you should revert to a lower value. 

Keywords: log server; logging; log analysis; monitoring; log event limit

Article Feedback

Thank you for the feedback and comments.