Audit Log Cleanup
MXCP audit logs can grow over time. This guide covers retention policies, manual cleanup, and automated maintenance strategies.
Default Retention
Section titled “Default Retention”MXCP uses a default retention period of 90 days for endpoint execution logs. Records older than this are automatically removed when you run the cleanup command.
Note: The retention period is currently fixed at 90 days and is not configurable via mxcp-site.yml.
Manual Cleanup
Section titled “Manual Cleanup”Using mxcp log-cleanup
Section titled “Using mxcp log-cleanup”# Apply retention policymxcp log-cleanup
# Preview what would be deletedmxcp log-cleanup --dry-run
# Specific profilemxcp log-cleanup --profile productionOutput
Section titled “Output”Applying retention policies...
Deleted records by schema: mxcp.endpoints:1: 15234 records
Total records deleted: 15234Dry-run output:
DRY RUN: Analyzing what would be deleted...
mxcp.endpoints (retention: 90 days): 15234 records
Total records that would be deleted: 15234
Run without --dry-run to actually delete these records.JSON output format (--json):
{ "status": "success", "message": "Deleted 15234 records", "deleted_per_schema": { "mxcp.endpoints:1": 15234 }}Dry-run JSON:
{ "status": "dry_run", "message": "Would delete 15234 records", "deleted_per_schema": { "mxcp.endpoints:1": 15234 }}Direct DuckDB Cleanup
Section titled “Direct DuckDB Cleanup”For advanced scenarios:
# Export logs to DuckDB for analysismxcp log --export-duckdb audit_analysis.duckdb
# Query and clean upduckdb audit_analysis.duckdb << 'EOF'-- Check log distribution (timestamp is stored as ISO string)SELECT DATE_TRUNC('month', timestamp::TIMESTAMP) as month, COUNT(*) as recordsFROM audit_logsGROUP BY monthORDER BY month;
-- Delete old recordsDELETE FROM audit_logsWHERE timestamp::TIMESTAMP < CURRENT_DATE - INTERVAL '90 days';EOFAutomated Cleanup
Section titled “Automated Cleanup”Using Cron
Section titled “Using Cron”Create a cron job for regular cleanup:
# Edit crontabcrontab -e# Run cleanup daily at 2 AM0 2 * * * /usr/local/bin/mxcp log-cleanup --profile production >> /var/log/mxcp/cleanup.log 2>&1
# Run cleanup weekly on Sunday0 3 * * 0 /usr/local/bin/mxcp log-cleanup --profile production >> /var/log/mxcp/cleanup.log 2>&1Using systemd Timer
Section titled “Using systemd Timer”Create /etc/systemd/system/mxcp-log-cleanup.service:
[Unit]Description=MXCP Audit Log CleanupAfter=network.target
[Service]Type=oneshotUser=mxcpGroup=mxcpWorkingDirectory=/opt/mxcpExecStart=/usr/local/bin/mxcp log-cleanup --profile productionStandardOutput=journalStandardError=journalCreate /etc/systemd/system/mxcp-log-cleanup.timer:
[Unit]Description=Daily MXCP audit log cleanup
[Timer]OnCalendar=dailyPersistent=trueRandomizedDelaySec=3600
[Install]WantedBy=timers.targetEnable the timer:
sudo systemctl daemon-reloadsudo systemctl enable mxcp-log-cleanup.timersudo systemctl start mxcp-log-cleanup.timer
# Check timer statussystemctl list-timers | grep mxcpDocker Scheduled Cleanup
Section titled “Docker Scheduled Cleanup”version: '3.8'
services: mxcp: build: . volumes: - audit-logs:/var/log/mxcp
# Cleanup sidecar cleanup: image: your-mxcp-image volumes: - audit-logs:/var/log/mxcp command: > sh -c "while true; do sleep 86400; mxcp log-cleanup --profile production; done" depends_on: - mxcp
volumes: audit-logs:Log Rotation
Section titled “Log Rotation”Audit logs are stored as JSONL files and do not have built-in rotation. Use external tools like logrotate to manage file sizes.
Using logrotate
Section titled “Using logrotate”Create /etc/logrotate.d/mxcp:
/var/log/mxcp/*.jsonl { daily rotate 30 compress delaycompress missingok notifempty create 640 mxcp mxcp postrotate # Signal MXCP to reopen log files kill -HUP $(pgrep -f "mxcp serve") 2>/dev/null || true endscript}Archiving Strategies
Section titled “Archiving Strategies”Archive to Object Storage
Section titled “Archive to Object Storage”#!/bin/bashDATE=$(date +%Y%m%d)ARCHIVE_DIR="/var/log/mxcp/archive"S3_BUCKET="s3://my-bucket/mxcp-audit"
# Compress old logsfind /var/log/mxcp -name "*.jsonl.*" -mtime +7 -exec gzip {} \;
# Move to archivemkdir -p $ARCHIVE_DIRmv /var/log/mxcp/*.gz $ARCHIVE_DIR/
# Upload to S3aws s3 sync $ARCHIVE_DIR $S3_BUCKET/$DATE/
# Clean up local archive after successful uploadrm -rf $ARCHIVE_DIR/*Archive to DuckDB
Section titled “Archive to DuckDB”#!/bin/bashDATE=$(date +%Y%m%d)ARCHIVE_DB="/archive/audit-$DATE.duckdb"
# Export current logsmxcp log --export-duckdb $ARCHIVE_DB --since 30d
# Compress archivegzip $ARCHIVE_DB
# Clean up old JSONL logsmxcp log-cleanupCompliance Considerations
Section titled “Compliance Considerations”Retention Requirements
Section titled “Retention Requirements”Different regulations have different retention requirements:
| Regulation | Typical Retention |
|---|---|
| SOC 2 | 1 year |
| HIPAA | 6 years |
| PCI DSS | 1 year |
| GDPR | As needed |
Note: The default 90-day retention may not meet all compliance requirements. For longer retention, consider archiving logs before they’re deleted (see Archiving Strategies above).
Secure Deletion
Section titled “Secure Deletion”For compliance, ensure secure deletion:
# Overwrite before deletionshred -vfz -n 3 /var/log/mxcp/audit.jsonl.old
# Or use secure delete toolssrm -sz /var/log/mxcp/audit.jsonl.oldAudit Trail of Deletions
Section titled “Audit Trail of Deletions”Log cleanup operations:
#!/bin/bashTIMESTAMP=$(date -Iseconds)RECORDS_BEFORE=$(wc -l < /var/log/mxcp/audit.jsonl)
mxcp log-cleanup --profile production
RECORDS_AFTER=$(wc -l < /var/log/mxcp/audit.jsonl)DELETED=$((RECORDS_BEFORE - RECORDS_AFTER))
echo "$TIMESTAMP: Deleted $DELETED audit records" >> /var/log/mxcp/cleanup-audit.logBest Practices
Section titled “Best Practices”1. Plan for Compliance Requirements
Section titled “1. Plan for Compliance Requirements”The default 90-day retention period works for most operational use cases. For compliance requirements that need longer retention:
# Archive before cleanupmxcp log --export-duckdb /archive/audit-$(date +%Y%m%d).duckdb
# Then run cleanupmxcp log-cleanup2. Monitor Log Growth
Section titled “2. Monitor Log Growth”Alert on unusual growth:
# Check log sizeLOG_SIZE=$(stat -f%z /var/log/mxcp/audit.jsonl 2>/dev/null || stat -c%s /var/log/mxcp/audit.jsonl)if [ $LOG_SIZE -gt 1073741824 ]; then # 1GB echo "WARNING: Audit log exceeds 1GB"fi3. Test Cleanup Before Production
Section titled “3. Test Cleanup Before Production”# Always dry-run firstmxcp log-cleanup --dry-run --profile production
# Review what will be deleted# Then run actual cleanupmxcp log-cleanup --profile production4. Archive Before Deletion
Section titled “4. Archive Before Deletion”Keep archives for compliance:
# Archive firstmxcp log --export-duckdb /archive/audit-$(date +%Y%m%d).duckdb
# Then cleanupmxcp log-cleanup5. Regular Maintenance Schedule
Section titled “5. Regular Maintenance Schedule”- Daily: Run cleanup with retention policy
- Weekly: Archive old logs to cold storage
- Monthly: Verify retention compliance
- Quarterly: Review retention requirements
Troubleshooting
Section titled “Troubleshooting””Log file locked"
Section titled “”Log file locked"”# Check if MXCP is writing to the loglsof /var/log/mxcp/audit.jsonl
# Wait for writes to complete or# send SIGHUP to close and reopenkill -HUP $(pgrep -f "mxcp serve")"Permission denied"
Section titled “"Permission denied"”# Check permissionsls -la /var/log/mxcp/
# Fix permissionssudo chown mxcp:mxcp /var/log/mxcp/*.jsonlsudo chmod 640 /var/log/mxcp/*.jsonl"Disk full”
Section titled “"Disk full””# Emergency cleanupmxcp log-cleanup --profile production
# Or remove oldest archivesrm /var/log/mxcp/audit.jsonl.*.gz
# Check disk spacedf -h /var/log/mxcpNext Steps
Section titled “Next Steps”- Auditing - Audit log configuration
- Monitoring - Log analysis
- Deployment - Production setup