We're looking to address a need to retain at least three months of firewall logs from NSX-T. We're using vRLI 8.2 to store these logs at the moment and currently have 16 days of logs (with a single 'medium' brick).
The two 'levers' that I am aware of are:
* Turn off logging in NSX-T on a per-rule basis - not desirable as we are required to keep all logs. I separated DNS into a rule and turned off logging and this increased the retention from 6 to 16 days, but we're now without troubleshooting capability in this space and the auditor might say "what about DNS hacking?".
* vRLI has a 'partitions' feature. I would like to try separating traffic into different retention (e.g. DNS for a few days so we keep some troubleshooting, intra-application traffic for a shorter period, and external traffic for the three months). However, the partitions feature doesn't allow you to filter on NSX-T fields (only the core/static fields).
Any ideas here? How are you achieving some sort of retention that an auditor will approve of?
Thanks!