We have a use case where we would like to have Log Insight drop all events of a certain severity (example: TRIVIA and below) after a week. Using this selective trimming it would allow us to have a normal retention period of our normal data because the volume associated with trivia logging would not be persistent over a week. Obviously, the level and retention period should be user defined.
New EU laws forces companies to limit user log data to 1 year.
So It would be good that Archiving features could be limited by time.
It would be nice to know without having to write a query how old the oldest data in the system is. If we could track this per host sending data, that would be even better.
It would be nice to allow selection of an event to add an additional column into the event view displaying the time offset between the selected event and visible events.
Selecting an event which happened at 2015-08-08T10:00:00.
Then events which happened in the past (Say 2015-08-08T09:50:30) could display "T - 9M30S"
and events in the future could display "T + 9M30S"
When monitoring an environment you may expect messages within a certain timeframe (Backups within the defined backup windows). However seeing these messages outside the normal windows is a cause for alarm / investigation. Log Insight should allow setting a timeframe criteria for alarms so that users can setup alerts for defined abberant behaviour. Backups running outside backup windows. Logins outside business hours. ...more »