We're looking to address a need to retain at least three months of firewall logs from NSX-T. We're using vRLI 8.2 to store these logs at the moment and currently have 16 days of logs (with a single 'medium' brick).
The two 'levers' that I am aware of are:
* Turn off logging in NSX-T on a per-rule basis - not desirable as we are required to keep all logs. I separated DNS into a rule and turned off logging and this increased the retention from 6 to 16 days, but we're now without troubleshooting capability in this space and the auditor might say "what about DNS hacking?".
* vRLI has a 'partitions' feature. I would like to try separating traffic into different retention (e.g. DNS for a few days so we keep some troubleshooting, intra-application traffic for a shorter period, and external traffic for the three months). However, the partitions feature doesn't allow you to filter on NSX-T fields (only the core/static fields).
Any ideas here? How are you achieving some sort of retention that an auditor will approve of?
Haven't hid that particular obstacle yet
I have vrli deployed in the form of cluster and I'm planning to enable NFS archive:
I'm starting with saying that we have not implemented Partitions yet and ar not all the way through with our plans for retention. But from my understanding the partitions is more for clearing out what you don't want to save for longer. I can't really find any info on this but this is my interpretation of it. The partitions doesn't guarantee that the data is avaliable for 3 months or what you set as thats depends on available diskspace. But it will how ever age out the data at those 3 months.
When i check our enviroment the fields we defined when we fetch logs via agents are avaliable to use for filters. Have you installed the content pack for nsx-t? Maybe it will provide you with som defined fields to use for filter.
So if you need to have something live searchable for 3 months you need to try to calculate how much data u need to save and then add storage to the log insight server or scale out to a cluster, 3+ nodes. There are also archiving that lets you save the data on a share and then import them in a log insight enviroment when you need to look at them if the auditor is OK with that.