The topics in this section are about configuring nDepth to store and access your original log messages:
If needed, you can use a separate nDepth appliance for long-term storage and retrieval of your network's original event log messages. In this configuration, each Manager has its own dedicated nDepth appliance. The appliance stores all of the original log file source data that passes through a particular Manager. The log data is stored in its entirety, in real time, as it originally occurs from each host (network device) and source (application or connector) that is monitored by the Manager.??
Even when you use a separate appliance, you can still access and explore this information from the Console's nDepth view.
The primary advantage of using a separate nDepth appliance is that it provides you with the capacity for long-term storage and retrieval of the original log messages. If long-term storage of this information is a high priority, then you will want to consider a separate appliance; otherwise, a separate appliance is probably unnecessary. If you have questions, contact your SolarWinds sales representative or SolarWinds Technical Support.
If you would like to use a separate nDepth appliance for long-term storage and retrieval of the original log messages, then you must install that appliance before you begin using nDepth. Contact SolarWinds Technical Support for instructions on installing a separate appliance.
If you are not using a separate appliance, this procedure is not required, because short-term log messages are stored directly on LEM.
To use nDepth to explore your network's original log messages, you must configure each connector (sensor) for use with nDepth with the console's Connector Configuration form.
First, decide which network devices, applications, and connectors that are monitored by the Manager are to also send their log messages to nDepth. Then configure each of these connectors for use with nDepth. You can choose to route a connector???s log messages to LEM, directly to nDepth, or to both.
SolarWinds recommends that you configure each connector so it routes its log messages to both nDepth and LEM. This allows you to receive events on these connectors, and to search log messages stored on the separate nDepth appliance.
By default, the LEM database is allowed 230 GB of the 250 GB allocated to the LEM virtual appliance. This partition consists of three data stores:
The Syslog store (the first store)??consists of all Syslog/SNMP log data sent to the LEM appliance. The LEM appliance reads and processes the data in real time, and then sends it to the event store for long-term storage. The LEM appliance stores the original data for 50 days in its original format, just in case you need to review it, and compresses and rotates the data in the Syslog store daily, maintaining a consistent 50 days worth of data. The amount of data stored here should level off at around the 50-day mark.
The Event store (the second store)??consists of all normalized events generated by the LEM manager and LEM Agents. Data in this store is compressed at a ratio of 40:1 to 60:1, which equates to an average compression rate of 95-98%. LEM reports and nDepth query this store for event data whenever they run.
The Original log store (the third store)??is an optional store for original, or "raw," log messages that are searchable using Log Message queries in nDepth. The data in this store can come from LEM agents or other devices logging to the LEM appliance. You can define whether data is sent to this store at the connector level, so not all devices have to log in this manner. For more information, see Configuring Your LEM Appliance for Log Message Storage and nDepth Search in the SolarWinds Success Center.
There are three primary sources for statistics related to how your LEM database is being used:
When you initially log in to your LEM virtual appliance using the vSphere console view or an SSH client such as PuTTY, the LEM appliance automatically generates a Disk Usage summary. You can also generate an ad hoc disk usage summary by running the diskusage command from the cmc::acm# (cmc > appliance) prompt. The two lines to note here are Logs/Data and Logs.
Logs/Data figure represents the total space being utilized by your LEM database. This value is presented in the percent % (usedG/allocatedG) format, where percent is the percent of the allocated space currently being used and allocated is the total amount of space that is currently allocated to the LEM database.
Logs figure represents the amount of space used by the syslog store. This figure is included in the used figure noted above. To figure out how much space is currently being utilized by your Event store, subtract the Logs value from the used value. If you are storing original log messages in your LEM database, the calculation above will show you the combined space being utilized by both your Event and original log stores.
Run the Database Maintenance Report in LEM reports to view a snapshot of your current database usage. The report includes Disk Usage Summary, Disk Usage Details, Database Time Span (days), and Other Files.
Disk Usage Summary provides disk usage figures as percentages of the space allocated to the LEM database. Disk Usage Details provides the actual amounts related to the percentages in the Disk Usage Summary section. Database Time Span (days) tells you how many days worth of live event data currently stored on your LEM database. For detailed information about this value, see the second page of the Database Maintenance Report. The Other Files figure in the Database Maintenance Report consists primarily of the data in the Syslog store noted above.
Run the log storage maintenance report in LEM reports to get detailed information about the original log store. If you have not enabled your LEM appliance and connectors to store original log messages, this report will be blank.
Depending on the needs of your environment, you can use one or more of the alternate storage methods listed below. For more details or assistance with any of these methods, please open a ticket with Support.