Administration of Log Insight

Request for variable retention

IHAC customer (CBA) that needs to retain up to 3 months of data in vRLI. Unfortunately, my customer's vRLI setup is now only retaining 7-8 days of data (its slowly been dropping with the migrations)… this is all due to the volume of DFW (NSX) logs… The customer has discussed dropping all accepted/allowed but customer security policy informed the customer that it wouldn't be allowed to do so.

The customer has queried... more »

Administration of Log Insight

Customize fields in the alert.log file

I have Log Insight version 4.3 installed, and I would like the capability of limiting who can schedule a query or search. I know there isn't a capability in Log Insight for this feature (yet). I know that version 2.0 introduced an alert.log file. I have a script that stays in memory. The script reads the alert.log file. If a new line is found, then the script will parse the current line and send data (syslog or snmp)... more »

Administration of Log Insight

Forwarding windows events (UDP/TCP) always includes tags

I am forwarding windows events collected by LI agent from Log Insight to Splunk using syslog protocol. , The box "Forward complementary tags" is not checked, but it seems to be always on. On the receiver side I see following additional stuff in the event: - - - [Originator@6876 eventid="326" task="General" keywords="Classic" level="Information" channel="Application" eventrecordid="2018" providername="ESENT"]
Complementary... more »

Administration of Log Insight

Forwarder produce events in the Windows Event XML format

Log Insight's Forwarder supports Syslog and CFAPI (HTTP+JSON) today. The Forwarder should be extended with an additional serialization format, conforming to the Windows Events XML schema. Standard Windows Events' XML attributes should be reconstructed from standard Log Insight field=value pairs.


This aligns with

Administration of Log Insight

Tiered online, searchable data storage

When Log Insight's local capacity to store messages is exhausted, messages are archived to a remote NFS location. It would be beneficial if this flow could be tiered such that data was available online as today but moved to a slower & higher-capacity tiered disks as it ages.

Consider the use-case of keeping the most recent 50GB of data on SSD, migrating it to ~5TB of slower spindles over time while keeping it searchable,... more »