You can retain log data in a partition with a filter and a retention period. Index partitions let you define different retention periods for different types of logs. For example, logs with sensitive information might require a short retention period, such as five days. You can also archive the data in an index partition to an NFS mount, to retain the logs for an extended period.

The log data that matches the filter criteria for an index partition is stored in the partition for the specified retention period. If you activate archiving, the data is moved to an NFS storage after the retention period. Logs that do not match the filter criteria in any of the defined index partitions are stored in the default partition. This partition is always activated and stores data for an unlimited amount of time. You can modify the retention period and activate archiving for the default partition.
Note: You can create a maximum of five index partitions.

Prerequisites

  • If you want to activate archiving for an index partition, verify that you have access to an NFS partition that meets the following requirements.
    • The NFS partition must allow reading and writing operations for guest accounts.
    • The mount must not require authentication.
    • The NFS server must support NFS v3 or v4.
    • If using a Windows NFS server, allow unmapped user UNIX access (by UID/GID).
    For more information about archiving, see Data Archiving.
  • Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.

Procedure

  1. Expand the main menu, click Log Management and then click Index Partitions.
  2. To view details for the default partition such as the retention period and archival location, click the edit icon against the partition titled Default Partition. To modify the details for the partition, click the edit icon and follow steps 7 through 9.
  3. To create a partition, click New Partition and follow steps 5 through 9.
  4. In the Partition Name text box, enter a name for the index partition.
  5. Add one or more filters to refine the logs that you want to store in the index partition. Optionally, click Run in Explore Logs page to preview the filtered log results.
  6. In the Retention Period text box, enter the number of days for which you want to retain logs in the index partition. Enter 0 for an unlimited retention period.
  7. Click the Archive Location toggle button to archive the log data in the partition. In the text box, enter the NFS location where you want to store the archived data, in the form nfs://servername<:port-number>/exportname. The port number defaults to 2049.
    Click Test to verify the connection with the NFS storage.
  8. Click Save.
    Note:
    • The index partition is activated by default. To deactivate it, use the toggle button against the partition on the Index Partitions tab.
    • Creating, modifying, and deleting index partitions requires you to restart vRealize Log Insight on all the cluster nodes.

      After vRealize Log Insight restarts, verify that syslog feeds from ESXi continue to arrive in vRealize Log Insight.

Results

The index partition is listed in the Index Partitions tab with information about whether the partition is activated, the filter criteria, retention period, storage used, and time of ingesting the first log. You can view or modify the partition details by clicking the edit icon against the partition name.