Difference Between Data in Logs and Predefined Reports

Issue

The amount of data in the predefined reports do not match the logs. For example, a predefined report shows that for a particular user, the top application is Bittorrent with 20000 sessions totaling to 10GB of data during the last 24 hours. If a traffic log export is performed on the same user for the last 24hrs, the sum of all the data under the "session bytes" column calculates to 18GB of data.

Cause

Pre-defined reports get their data from the summary logs. If there is not enough space allocated to summary traffic logs, then these logs will be purged/deleted at a faster rate when compare to the regular traffic logs. This results in the predefined reports showing different data than in an exported traffic log.

Verify if this is the case by looking at the ms logs using the following command:  less mp-log ms.log. The following lines indicate that summary logs are being purged:

mp\ms.log 09-30 09:13:05 traffic log db size after purging : 356598 Mb. Total bytes purged: 18838 Mb

mp\ms.log 09-30 19:45:07 trsum log db size after purging : 35545 Mb. Total bytes purged: 2077 Mb

mp\ms.log 09-30 20:57:07 traffic log db size after purging : 356622 Mb. Total bytes purged: 18862 Mb

Note: Alternatively, the show system logdb-quota command shows the allocated disk size and the available free space  for the summary logs.

Resolution

Increase the size allocation of the summary logs so that the logs will not get purged.

1. Navigate to Device > Setup > Management tab
   
2. Edit the Logging and Reporting Settings section.
3. Modify the "Quota(%)" values for the summary logs in the fields shown below:
   

owner: sdurga