Analog doesn't save its state in a separate file or database. It always operates on the logfiles you tell it to. So if you trim logs after two weeks, you will only have statistics for two weeks in later runs.

The algorithm is the following:
1. the logfiles that match the filename patterns in the config file and are newer than inputfiles_mtime are grepped for matching lines and converted into fwanalog.current.log.
2. The last line of fwanalog.all.log is searched in fwanalog.current.log and everything after it is appended to fwanalog.all.log.

By changing inputfiles_mtime, you only optimize the first part of the processing which doesn't take as long as the Analog processing does. So it won't help very much.

Perhaps if you have such problems with the logfile size, you could take out the obvious worm attacks (SQL Slammer, MS Blaster etc.) and concentrate just on the "interesting" blocked packets.


