You can retain log data in a partition with a filter and a retention period. Data partitions let you define different retention periods for different types of logs. For example, logs with sensitive information might require a short retention period, such as five days. You can also archive the data in a data partition to an NFS mount, to retain the logs for an extended period.

The log data that matches the filter criteria for a data partition is stored in the partition for the specified retention period. If you activate archiving, the data is moved to an NFS storage after the retention period. Logs that do not match the filter criteria in any of the defined data partitions are stored in the default partition. This partition is always activated and stores data for an unlimited amount of time. You can modify the retention period and activate archiving for the default partition.
Note: You can create a maximum of five data partitions.

Prerequisites

  • If you want to activate archiving for a data partition, verify that you have access to an NFS partition that meets the following requirements.
    • The NFS partition must allow reading and writing operations for guest accounts.
    • The mount must not require authentication.
    • The NFS server must support NFS v3 or v4.
    • If using a Windows NFS server, allow unmapped user UNIX access (by UID/GID).
    For more information about archiving, see Data Archiving.

  • Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin user, or a user associated with a role that has the relevant permissions. See Create and Modify Roles for more information. The URL format of the web user interface is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.

Procedure

  1. Navigate to the Administration tab.
  2. Under Management, click Log Management and then click Index Partitions.
  3. To view details for the default partition such as the retention period and archival location, click the edit icon against the partition titled Default Partition. To modify the details for the partition, click the edit icon and follow steps 7 through 9.
  4. To create a partition, click New Partition and follow steps 5 through 9.
  5. In the Partition Name text box, enter a name for the data partition.
  6. Add one or more filters to refine the logs that you want to store in the data partition. Optionally, click Run in Interactive Analytics to preview the filtered log results.
  7. In the Retention Period text box, enter the number of days for which you want to retain logs in the data partition. Enter 0 for an unlimited retention period.
  8. Click the Archive Location toggle button to archive the log data in the partition. In the text box, enter the NFS location where you want to store the archived data, in the form nfs://servername<:port-number>/exportname. The port number defaults to 2049.
    Click Test to verify the connection with the NFS storage.
  9. Click Save.
    Note:
    • The data partition is activated by default. To deactivate it, use the toggle button against the partition on the Index Partitions tab.
    • Creating, modifying, and deleting data partitions requires you to restart vRealize Log Insight on all the cluster nodes.

      After vRealize Log Insight restarts, verify that syslog feeds from ESXi continue to arrive in vRealize Log Insight.

Results

The data partition is listed in the Index Partitions tab with information about whether the partition is activated, the filter criteria, retention period, storage used, and time of ingesting the first log. You can view or modify the partition details by clicking the edit icon against the partition name.