Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Live Data Storage Retention in LEM

Live Data Storage Retention in LEM

Table of contents
 

The number of days' worth of live data that the LEM database will store varies for every implementation. The information below should help you determine this number for your environment, while also promoting a more detailed understanding of how the database works in general.

Environment

All LEM versions

Detail

What the LEM Database Stores

By default, the LEM appliance allocates up to 230 GB of the 250 GB configured for the LEM virtual appliance. This partition consists of three data stores:

  • Alert database (Alert store) - Normalized data storage.
    The Alert store consists of all of the normalized Events/Alerts collected by the LEM Manager and LEM Agents. Data in this store is compressed at a ratio of 40:1 to 60:1, which equates to an average compression rate of about 95-98%. LEM reports and nDepth queries this store for Alert data whenever they are run.
     
  • RAW database (Original log store) - Original data storage. Applies only if the original log storage option is enabled for auditing requirements. The original log store is an optional store for original, or RAW, log messages, which is searchable using Log Message queries in nDepth. The data in this store can come from LEM Agents or other devices that are logging to the LEM appliance. You can define whether data is sent to this store at the connector level, so connector configurations define devices/logs that are sent to the RAW database. 
     
  • Temporary syslog data (Sylog store) or SNMP data log storage – Consists of log data from network devices logging directly to LEM. The syslog store consists of all syslog/SNMP log data that is sent to the LEM appliance. LEM reads and processes the data in real time, and then sends it to the Alert database for long-term storage. LEM stores the original data into files for 50 days in its original format, just in case you need to review it. LEM rotates and compresses the data in the syslog store daily, but can be changed to accommodate high volume devices that may exceed size limits for zipping files. You can configure syslog to rotate the syslog store hourly, and keep 1 to 100 of these log files.

 

Where to Find the Numbers

There are three primary sources for statistics related to how your LEM database is being used: the Disk Usage summary in the CMC, the Database Maintenance Report, and the Log Storage Maintenance Report.

 

Disk Usage Summary

When you initially log into your LEM virtual appliance using the vSphere "console" view or an SSH client such as PuTTY, LEM automatically generates a Disk Usage summary. You can also generate an ad hoc Disk Usage summary by running the diskusage command from the cmc::acm# (cmc > appliance) prompt. The two lines to note here are:

  • Logs/Data: This figure (read as Logs & Data) represents the total space being utilized by your LEM databases and syslog storage. This value is presented in the percent% (usedG/allocatedG) format, where the percent and amount of disk space used should be 90% (+/- 2%) of the allocated disk space. When the percent reaches 90%, run the Database Maintenance Report to discover the retention period (Database Time Span) for the data in the Alert database.

    Note: LEM is designed to maintain the Logs/Data partition a threshold of 90% full. As new data is inserted into the database beyond 90%, the oldest events are dropped off at regular intervals so that Logs/Data perpetually remains around 90% full. Because of this automated function, manually removing old data to avoid completely filling the partition is unnecessary.

 

  • Logs: This figure represents the amount of space being utilized by the syslog store. This figure is included in the used figure noted above.

    To figure out how much space is currently being utilized by your Alert store, subtract the Logs value from the used value.

    Note: If you are storing original log messages in your LEM database, the calculation above will show you the combined space being utilized by both your Alert and original log stores.

 

Database Maintenance Report

Run the Database Maintenance Report in LEM Reports to see a snapshot of your current database utilization. For the sake of this discussion, note the following sections:

  • Disk Usage Summary: This section provides disk usage figures as percentages of the space allocated to the LEM database.
  • Disk Usage Details: This section provides the actual amounts related to the percentages in the Disk Usage Summary section.
  • Database Time Span (days): Note the Alert DB value in this section. This value tells you how many days' worth of live Alert data is currently stored on your LEM database. For detailed information about this value, see the second page of the Database Maintenance Report.

Note: The Other Files figure in the Database Maintenance Report consists primarily of the data in the Syslog store noted above.

See also: Use the Database Maintenance Report to See Retention and Volume of Traffic

 

Log Storage Maintenance Report

Run the Log Storage Maintenance Report in LEM Reports to get detailed information about the original log store. If you have not enabled your LEM appliance and tools to store original log messages, this report will be blank by default, unless the RAW database was enabled and connectors configured to send data to this database.

 

Alternate Storage Methods

Depending on the needs of your environment, you might want to utilize one or more of the alternate storage methods listed below. For more details or assistance with any of these methods, please open a ticket with Support.

  • Backup your LEM virtual appliance Alert database on a regular basis. This will give you offline storage for all of your LEM normalized data stores. Use the ArchiveConfig command to configure the Alert database backups. The first time the database is backed up, the entire Alert database is placed onto a network share. Subsequent backups are incremental/differential backups.
  • Backup your LEM virtual appliance RAW database on a regular basis. This will give you offline storage for all of your LEM original data stores. Use the LogMArchiveConfig command to configure the RAW database backups. The first time the database is backed up, the entire RAW database is placed onto a network share. Subsequent backups are incremental/differential backups.
  • Typically not configured, you can also backup the Syslog store. Use the LogBackupConfig command to configure the syslog backups. 
  • Decrease the number of days for which Syslog/SNMP data is stored on your LEM virtual appliance. Use the SSH/PuTTY commands (setlogrotate and limitsyslog) to adjust the storage space used.
  • Increase the space allocated to your LEM virtual appliance - see Resize a LEM Virtual Appliance.
  • Typically not needed, but you can deploy another LEM virtual appliance to be used as a syslog server. Contact SolarWinds support to configure this appliance for the Syslog role.
  • Typically not needed, but you can deploy another LEM virtual appliance to be used as a database server. Contact SolarWinds support to configure this appliance for the database role.
Last modified

Tags

Classifications

Public