We are frequently getting log messages deletion emails from CA PAM. Database log purging is turned off in our systems on the Configuration > Logs > Automatic Log Purge page.
Can you please help us understand the reason for these logs being deleted from CA PAM? What is the impact?
CA Privileged Access Manager 3.x
There is a maximum number of records defined for the session log, which is stored in a database table. This number is 82000. Once that number is exceeded, a logwatch process running on the appliance will start purging rows even without explicit configuration of the automatic log purge settings on the Configuration > Logs > Automatic Log Purge page. This is to protect the appliance against a disk full condition due to ever growing session logs. By default the utility checks the session log size every 24 hrs and deletes 4000 rows at a time. There is another check done every 5 minutes for a second limit that can be anywhere between 82000 and 250000, but in most cases will be one or the other. On virtual PAM instances it likely will be 82000, in which case the log purge emails could be received any time of the day, separated by a multiple of 5 minutes, plus any processing time needed to check the table size between the sleep intervals. If option "Require Email be Sent Before Purge" is checked on the Automatic Log Purge configuration page, the 24-hr check will not delete log entries if they cannot be sent by email to the Admin Email address configured on the Configuration > Monitor > General Monitoring Parameters page. The 5-minute check however will delete the oldest 4000 records anyway to protect against uncontrolled DB growth. In that case you can lose the old entries w/o having a backup saved in an email attachment. If the next check finds that the limit is exceeded by more than 4000 records, you may receive multiple emails containing 4000 messages each within a short time.