Manually remove logs from Aria Operations for Logs for specific dates
search cancel

Manually remove logs from Aria Operations for Logs for specific dates

book

Article ID: 375585

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

How to delete logs from Aria Operations for Logs that were sent at specific dates?

  • Logs are ingested into buckets
  • Each bucket is sealed when it reaches 0.5GB
  • Logs can only be removed by entire buckets

Environment

VMware Aria Operations for Logs 8.10.2 and newer

Cause

In the UI, the oldest logs can be removed by specifying a retention period for an Index Partition using the documentation below, but there is no mechanism in the UI to remove buckets ingested at specific dates if they are not the oldest logs.

Configure an Index Partition

Resolution

NOTE: Before proceeding make sure to take a snapshot of all of the log insight cluster nodes from the same point in time, excluding memory.  Please be sure that there are also good backups that can be restored if required.  Please see Backup Nodes and Clusters for more information.  Remove the snapshots once they are confirmed to no longer be needed by successful cluster startup and operation.

  1. Log in to an Aria Operations for Logs node as root via SSH or vSphere Console

  2. Stop the service with command below 
    systemctl stop loginsight

     

  3. Verify the service has stopped with the command below 
    /etc/init.d/loginsight status

    Note: The expected output when the service is successfully stopped is Failed to obtain the client socket.

  4. Delete the desired logs with the command below 
    /lib/loginsight/application/sbin/bucket-tools --delete createdStart=2019-10-14 createdEnd=2019-10-20

    Note: Modify the createdStart and createdEnd values to match the desired time range. The format is YYYY-MM-DD where YYYY is the 4 digit year, MM is the 2 digit month, and DD is the 2 digit day

  5. Type y to delete the identified buckets

  6. Start the service with the command below 
    systemctl start loginsight

     

  7. After 5 minutes, navigate in the Aria Operations for Logs UI to the Management > Cluster page and validate that the node shows as Connected

    Note: In a single node cluster, the Management > Cluster page does not say Connected. In a Single node cluster, the availability of the UI confirms the successful completion of step 6.

  8. Repeat steps 1-7 on all other nodes in the Aria Operations for Logs cluster
Powered by Wolken Software