VMware Cloud Community
jadedpuppy
Contributor
Contributor
‎01-05-2017 07:18 AM

Remove/delete log entries

I need to know if there is a way to search for certain logs, by the age of that log, and delete it.  Reasoning is below.

vRealize Log Insight is a good tool, but the one area where it fails spectacularly is being able to control the retention length for logs.  Since vLI uses the available storage as the mechanism to determine what logs to delete or archive (if archive is setup), it is all but impossible to guarantee that a given node will have X days of logs available in the vLI.  It also makes vLI very prone to "noisy neighbor" issues, where node X is producing a lot of logs and therefore consuming a lot of disk, and reducing the number/age of logs for node Y.  To combat this issue, I was hoping I could run a job where it looks for messages older than X age, and deletes them.  This doesn't solve the problem entirely, but it certainly helps.  However, there does not appear to be a way to delete a log entry.  If there is, I cannot find it.

So to re-ask the question: Is there a way to delete log entries, specifically by searching for log entries older than a certain date? 

Thanks for any help.

0 Kudos
3 Replies
admin
Immortal
Immortal
‎01-09-2017 10:56 AM

There is no way in vRLI to do what you are looking to do that is to delete logs (old or not) you have to wait for them to recycled out ( based on the retention period configured). If this feature is really important to you please submit a feature request at loginsight.vmware.com.

Hope this helps.

0 Kudos
jadedpuppy
Contributor
Contributor
‎01-09-2017 12:17 PM

There is no retention date set within vRLI though, its just an archive "on/ff" policy, unless I'm missing something.  From my understanding, the archive only starts when the attached storage begins to get full.  Once it is spooled off to NFS storage, you could write policies to delete data that was X days old of course. 

Am I missing something?  Is there actually a retention policy available in vRLI?

0 Kudos
admin
Immortal
Immortal
‎01-09-2017 12:26 PM

Correct.

vRealize Log Insight does not manage the NFS mount used for archiving purposes. If system notifications are enabled, vRealize Log Insight sends an email when the NFS mount is about to run out of space or is unavailable. If the NFS mount does not have enough free space or is unavailable for a period of time greater than the retention period of the virtual appliance, vRealize Log Insight stops ingesting new data until the NFS mount has enough free space, becomes available, or archiving is disabled.


Having said that there is a system notification for Repository Retention Time - This alert notifies you about the amount of searchable data that vRealize Log Insight can store at the current ingest rates and in the storage space that is available on the virtual appliance. Admin users can define the storage notification threshold.  Details in help topic : Configure vRealize Log Insight System Notifications to Send Email Messages

0 Kudos