I’m trying to help out on the forensics of a large data loss on a shared file. I’ve found what appears to be a significant clue in the sharing logs
Let me start by saying that the sharing logs weren’t designed to be of any use for this sort of forensic purpose. I’m not sure what your goal is, but if you are somehow thinking that you can recover lost data from information in the logs, that isn’t something I would spend any time on myself.
These logs were primarily of use to me in debugging this code five years or so ago. But even five years ago when this was all fresh in my mind, I would mostly look at one of these synchronized log entries immediately after synchronization, to see if it matched what seemed to be happening. I don’t think I could ever have looked at a historical series of log entries and reverse engineered what had happened.
can’t find anything definitive in how to read the logs.
I’m pretty sure there is no written information about this, and as I said above, these logs weren’t really intended to contain enough information for the kind of forensic deep dive you are envisioning.
That said, I do have a vague recollection that I might have discussed these log entries when doing the video classes. I think this would most likely be in the Panorama X Server Deep Dive Part 4 video.
My take is that the “ts:” represents the number of records in the database
These numbers have nothing to do with the number of records. “ts” is short for “time stamp”. Panorama X time stamps aren’t actually based on clock time, but they do keep track of the order of events. So an event that happened at ts = 7 definitely occurred after an event at ts = 6. Every time any modification is made to a shared database, Panorama increments the internal time stamp.
If you take a new database and just add records to it, no other modifications, then the time stamp will correspond to the number of records. But usually other modifications are also happening - editing cells, deleting records, etc. So the time stamp can and does increase even if the number of records doesn’t go up - or even if it goes down.
Also, the time stamp will reset when a critical new generation is done. If your log isn’t recording new generations, you won’t see that in the log, but it could appear that time stamps are out of order.
followed by the number after synching
There are two numbers after “ts:” separated by a dash. Looking at the source code, I believe the first number is the time stamp when this client last requested a sync, in other words the client is telling the server “I am already synchronized up to this point”.
The second number is the time stamp the server has for this database. So the server will supply all of the changes between the client’s time stamp and the server’s. After the synchronization both the client and the server will have the same time stamp.
The highlighted record in the screenshot below fits the time when the problem began.
Ignore the first number, it’s the second number that is interesting. It went from 795 to 840 to 446. This number should NEVER go down, only up. The only exception would be if there was a new sharing generation. I don’t know if your logs are set up to record new sharing generations. I think you have to have Database Management checked under logging options. Based on the logs I would think there would have to have been TWO new sharing generations, one between 2:39 PM yesterday and 8:30 AM today, and another between 8:34 AM and 9:23 AM.
It’s interesting that the session numbers go from 55 to 3. Perhaps this means that the server restarted? Though if so, what happened to sessions 1, 2, 4 and 6? Hmm - this log is from THIS MORNING, so perhaps someone remembers whether the server restarted. Though restarting the server should not cause a synchronization problem, unless someone manually fiddled with the server files. Also, hopefully someone remembers whether any new sharing generations were done in the past 24 hours.
What are the settings for Auto Save Timeout and Save Transaction journal for this server? These control whether or not the server data is protected if the server crashes. Though they would have to be really wacky to cause log entries shown, I don’t think it would even be possible. But I have to ask.