As you start logging more and more of your environment to Log Insight, it becomes important to understand what devices have been seen. The two common use-cases for this include understanding license requirements and to determine whether a host that was previously logging has stopped logging. In Log Insight 2.5 this feature has been introduced as a Hosts table under administration.
Log Insight initially was licensed per OSI or Operating System Instance. The number of OSI allowed was stated in the UI under Administration > Licenses, but there was no way to see how many devices were logging to Log Insight. In Log Insight 1.5 a unique count aggregation function was added to the Interactive Analytics page. This made it possible to run a unique count of events by hostname, which would tell you how many devices to Log Insight. In Log Insight 2.0 the Licenses page was enhanced to include a visual graph of the average number of devices logging to Log Insight and when you were out of compliance, but again you had to rely on the Interactive Analytics page to determine what devices were logging.
Hosts (Overview) Table
Log Insight 2.5 includes a Host Overview table under Administration. This table contains a list of every device that has at least one event stored on the Log Insight instance (i.e. local retention). If a device had logged to Log Insight, but events from that device have since been retired (i.e. deleted) then the device will not appear on the Host Overview table. In addition to the device name, you can tell the last time since Log Insight received an event from that device.
The Host Overview table relies on the hostname field to populate the table. The problem is some devices do not send the hostname and some devices only send a hostname for some, but not all, events. To deal with this issue, Log Insight lists every source that has sent at least one event without a hostname under the View Details link at the bottom of the table. If all events contain a hostname then you will not see this option.
Again, note since some devices send a hostname with some events but not others, as such a device may be listed in the Host Overview table and the sources table.
It is also important to note that the same device may be listed multiple times in the Host Overview table. This would be because a device is sending more than one hostname (e.g. hostname and FQDN) in which case each is treated as a different host.
The Hosts (Overview) Table makes it possible to see which devices have logged to Log Insight and the last time an event from that device was received. The table relies on the hostname field of events. The same device may be shown multiple times if it sends events with different and/or without hostnames.
© 2015 – 2021, Steve Flanders. All rights reserved.