Data archiving preserves old logs that might otherwise be removed from the Log Insight virtual appliance due to storage constraints. Log Insight can store archived data to NFS mounts.
to take the control of your logs and avoid that the provisioned storage partition of the logging server growth you can use very simple steps to configure loginsight archive.
in this case we will use a windows server 2016 as NFS archive target for the logs.
before describing how to configure it is important to know that;
Log Insight does not manage the NFS mount used for archiving purposes. If system notifications are enabled, Log Insight sends an email when the NFS mount is about to run out of space or is unavailable . If the NFS mount does not have enough free space or is unavailable for a period of time greater than the retention period of the virtual appliance, Log Insight stops ingesting new data until the NFS mount has enough free space, becomes available, or archiving is disabled.
the prerequisites for configuring the archive are:
– the NFS Partition must allow reading and writing operations for guest accounts.
– the mount must not require authentication.
– the NFS server must support NFS v3.
first we will configure an NFS Share on windows server 2016.
the Setup is done in two steps. First install the role either through the “Add Roles and Features” Wizard in Server manager or with PowerShell
“Install-WindowsFeature FS-NFS service”
change to File and Storage Services => Shares in the Server Manager and execute the New Share command under Tasks.
Select the share profile
select the server and path for this share, in my case i create a dedicated archive partition with 300 GB.
specify the share name
set the authentication methods
In the following share permissions dialog, you can restrict access to individual hosts or client or network groups. we will restrict the permission for the loginsight host.
after that set the needed NTFS Permission and confirm the selection.
the share is created
now change to your loginsight administration board and login with the admin account
go to Configuration — Archiving and select Enable Data Archiving
in the archive location enter your created NFS Share nfs://server/share
to check if everything is working change to Management — System Monitor
you will see your new Archive storage
Data archiving preserves log events that have since been removed from the Log Insight virtual appliance due to storage constraints. Log events that have been removed from the Log Insight virtual appliance, but have been archived are no longer searchable. If you want to search archived logs, you must import them into a Log Insight instance
be sociable 😉