How to Delete Old Logs or Data in EventLog Analyzer

How to Delete Old Logs or Data in EventLog Analyzer

Objective

This article helps you manage and delete old log data in EventLog Analyzer using retention and archival settings. It explains how to automatically or manually remove outdated logs to optimize storage and maintain disk usage.

Prerequisites

  • Administrator access to EventLog Analyzer.  
  • Understanding of your organization’s data retention policies for security or compliance requirements.  
  • Backup of logs (if required for auditing or compliance before deletion).  

Steps to follow

Step 1: Configure live log Retention Settings
If you would like to reduce the storage of any of the following location, you can consider reducing the live logs retention.
For build number below 13000,
<Installation Directory>EventLog Analyzer/ES
<Installation Directory>elasticsearch/ES
For build number 13000 and above,
<Installation Directory>Log360/ES
1. Log in to User interface as an administrator.  
2. Navigate to Settings → Admin Settings → Retention Settings.  
3. Under Retention Settings, specify the number of days to retain live logs (e.g., 30, 90, or 180 days).  The categories in the live retention are split as follows:
  • Current Storage Size: Current Storage Size defines the number of days the collected raw logs will be retained in the database. The logs collected earlier than the configured value will be deleted. The default value is 32 days.
  • Correlation Retention Period: Correlation Retention Period defines the number of days the formatted log data will be retained in the database. The logs formatted earlier than the configured value will be deleted. The default value is 90 days.
  • Alert Retention Period: Alert retention period defines the number of days that the alerts will be retained in the database. The alerts raised earlier than the specified number of days will be deleted. The default retention period is 90 days.
  • Audit Retention Period: Audit Retention Period defines the number of days that the Audit data for External APIs and technicians will be retained in the database. Audit data that is earlier than the configured value will be deleted. The default value is 90 days.
4. Once the Retention period expires, application will automatically delete old logs from the storage.  
5. Click Save to apply the settings.
Note: Setting a shorter retention period helps control data size and disk usage. After reducing the storage duration, the cleanup process runs automatically at a 12-hour interval. To apply the changes immediately, you can restart the application — this triggers the first cleanup cycle within 10 minutes, followed by subsequent cleanups every 12 hours.

Step 2: Manage Archive Data
1. Go to Settings → Admin Settings → Archive → Settings.  
2. Review the Archive Zip Location and Retention for Archived Logs.  
3. To delete older archives, set a shorter retention period under "Retain Archive Logs For".  
4. EventLog Analyzer will automatically delete archive files older than the configured duration.


Note: After reducing the storage duration, the cleanup process runs automatically at a 12-hour interval. To apply the changes immediately, you can restart the application — this triggers the first cleanup cycle within 10 minutes, followed by subsequent cleanups every 12 hours.
5. You can create archive policies to group the devices to have either a different log storage location or a different storage duration or both.

Example: In this image the DataCenter Policy is created specifically for the devices in data center. You can align a device, devices, or a device group while creating the policy with customized retention and storage location.
From the image above, the Datacenter Policy is configured for the data center device group, and the Default Config policy is configured for All devices. As the Datacenter Policy is listed first, it has a higher priority than the Default Config policy, which enforces the Datacenter device group to have the Datacenter Policy.

Archive Manual Deletion:
If you have deleted a log source in EventLog Analyzer, all the configurations, archive entries will be removed from the database however, the archive files will be still available in the storage.

You can check the log source data in the archive storage location and remove them manually.
- Navigate to the archive directory (default path: `<EventLogAnalyzer_Home>/archive/`).  
- Delete the old `.zip` archive files corresponding to outdated periods.

Tips

  1. Schedule periodic retention policy reviews to balance storage and compliance needs.  
  2. Always back up critical logs before deletion.  
  3. Use Zipped Live Logs under Retention Settings for efficient storage management.
  1. Configuring Retention Policies in EventLog Analyzer 
  2. Archive Settings
  3. How does EventLog Analyzer store the collected data
  4. Troubleshooting: Disk space issues in EventLog Analyzer

How to reach support

If you require assistance with configuring retention or resolving storage issues, contact ManageEngine Support.  
Provide your build number, current retention settings, and storage directory details for faster resolution.  



      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products