Issue: Logs Fill Up CSA

Version 10

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

    NOTE: The settings recommended in the config file are not static. Depending on how much traffic your CSA sees you may need to adjust the size and retention



    Unable to login to CSA. Repeatedly get the login prompt through the GUI, even though credentials are good. Get the 403 Forbidden error when logging into the CSA.


    To confirm this is a problem login to the CSA via SSH then run the command> df -h

    In the below output you can see the Use%. If any partition is 100% this is the problem.



         [[email protected] ~]$ df -h

         Filesystem            Size  Used Avail Use% Mounted on


                                42G  1.9G   38G   5% /

         tmpfs                 3.9G     0  3.9G   0% /dev/shm

         /dev/sda1             485M   33M  427M   8% /boot






    Remove the logs filling up the drive space

    cd /var/log

    rm messages* -f




    create a file named 'messages' and place it in /etc/logrotate.d/ with this content:

    /var/log/messages {



      size 10M

      rotate 10





    *script can be modified in either the file size or the number of logs to keep.



    Copy this file with WinSCP or FileZilla to root /etc/logrotate.d/



    If the above script doesn't work, here is a more specific script that can be used if the problem is unresolved after those first two steps.


    /var/log/messages {


    size 10M

    rotate 0



    dateformat -%Y-%m-%d-%s


    /usr/bin/find /var/log/ -name "messages-*" -type f -exec rm {} $




    Notes about the script:

    • dateext and dateformat -%Y-%m-%d-%s needed to be added for hourly rotations. By default, /etc/logrotate.conf is set to add -%Y-%m-%d and without the -%s, it will not create a unique file name and the log will not be rotated.
    • The postrotate line was added because even with rotate 0 set, it still leaves 1 old log file. Because of how quickly this log may grow, it is useful for making sure no logs are left over.
    • The size option must be set and not the frequency (weekly, daily, monthly) because hourly is not a valid option. This is useful for logs that fill up much quicker than usual.


    The newer versions of the appliance added /var/log/messages to the /etc/logrotate.d/syslog. This line MUST be removed from the file, otherwise logrotate errors out stating there are 2 entries found for /var/log/messages and will not rotate the log.

    It may be needed to schedule the job to run every hour by adding the following line to /etc/crontab

    0 * * * * root /usr/sbin/logrotate /etc/logrotate.conf


    NOTICE: If You are out of space and have cleaned up a few files, yet the CSA still thinks there is no available space, try rebooting the CSA