Questions About ArcGIS Audit Log Behavior in ArcGIS Server & Portal
Hi,
I’m currently working on an ETL script that collects Audit Logs from both ArcGIS Server and Portal for ArcGIS and writes them into a database for long-term analysis.
While reviewing the audit log files, I noticed that the logs are split into multiple files. Some files are 0 KB, some contain data, and new files appear even without any changes to the retention settings.
To design a reliable ETL script, I need to understand the exact behavior of Audit Log creation and rotation. I’ve read the official documentation, but it doesn’t describe the detailed behavior.
Here are my questions:
How does ArcGIS Server/Portal decide when to create a new audit log file?
Is a new file created based on:Process restart (new PID)?
Time-based rotation (daily or otherwise)?
File size threshold?
Number of audit events?
How does retention actually delete logs?
Does ArcGIS delete the entire file once it is older than the threshold, or does it remove only older events inside a file?Is the audit log rotation behavior the same for both ArcGIS Server and Portal for ArcGIS?
I appreciate any detailed explanation or internal-behavior insights.
Thanks in advance!
