- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
I'm starting with saying that we have not implemented Partitions yet and ar not all the way through with our plans for retention. But from my understanding the partitions is more for clearing out what you don't want to save for longer. I can't really find any info on this but this is my interpretation of it. The partitions doesn't guarantee that the data is avaliable for 3 months or what you set as thats depends on available diskspace. But it will how ever age out the data at those 3 months.
When i check our enviroment the fields we defined when we fetch logs via agents are avaliable to use for filters. Have you installed the content pack for nsx-t? Maybe it will provide you with som defined fields to use for filter.
So if you need to have something live searchable for 3 months you need to try to calculate how much data u need to save and then add storage to the log insight server or scale out to a cluster, 3+ nodes. There are also archiving that lets you save the data on a share and then import them in a log insight enviroment when you need to look at them if the auditor is OK with that.