I just deployed Log Insight for vCenter and have a few questions.
1. I realized that I did not have reverse DNS entries for some of my hosts. This caused my OSI count to increase. Is there a way to delete the older log entries so I can stay compliant? I'm concerned that it will stop accepting logs if I go over 25, when in reality, I have about 18 OSI.
2. What is the default retention setting and how can we change it?
3. Does it automatically rotate/purge logs when we reach fill up the storage retention?
Thanks.
1. It is a daily average so OSI will get fixed automatically. Also LI will continue to work event if over limit -- you will just see a warning. There is no way to delete, once the data is retired (rotates out) it will automatically get removed
2. 1 month, see /admin/general
3. Yes
Regarding the retention question #2, under Admin | General is the "Retention Notification Threshold" which by default will "Send a notification when capacity drops below 1 month of data in the system". I'm interpreting this as just a notification, but not a setting of what my retention period is. If I'm not ingesting several logs, I won't hit that threshold for several months and based on this, it appears the retention is based on the size of the storage. I guess I should have clarified my question more - What if I wanted to rotate out logs every 24 hours, where is that setting?
Thanks again!
You're correct - retention is based on storage space in Log Insight today. Date-based retention controls are under consideration - please see this feature request: http://loginsight.vmware.com/a/dtd/Variable-retention-periods/8997-24427