As you probably know, Log Insight supports archiving of ingested data to a NFS location. In this post, I would like to talk about how to import an archive. Read on to learn more!
Before we begin
It is a best practice to only ingest archives into a new or dedicated Log Insight instance. The reason for this is because during the import operation, the oldest events on Log Insight ingest may be rotated off of the instance if there is not enough space. As a result, performing an import on a production system may result in a shorter than required retention period.
Mounting the archive
Since the archive is stored on a NFS location, the easiest way to ingest an archive is by mounting the same NFS location.
Note: You could attempt to copy the archive file(s) from the NFS location to one of the partitions on the Log Insight virtual appliance, however this is not recommended or supported as it may result in the virtual appliance running out of space.
Log Insight archiving does not maintain a persist mount to the archive location so even if archiving is enabled on the Log Insight instance you wish to import an archive on, the destination will not be available. In addition, importing of an archive is not available via the UI today so all operations for import must be done via the CLI. To import an archive, SSH to a Log Insight instance and mount the NFS location. For example:
# mount -t nfs 192.168.1.11:/archives /mnt
The mount operation may fail for a variety of reasons including:
- No network access to the path
- Improper permissions to the share
- NFS client services are not running properly
While the last reason should be very rare, let me walk through some troubleshooting. Run:
showmount
Does the command fail with
clnt_create: RPC: Program not registered
Run:
service nfs start
Does the command fail with:
Not starting NFS client services – no NFS found in /etc/fstab: unused?
Look in /etc/sysconfig/nfs for NFS_START_SERVICES=””. And change that to NFS_START_SERVICES=”yes”. Then service nfs start should work.
Importing an archive
Now all you need to do is import the archive. It is important to note that the import operation can take a long time to complete. Unfortunately, the Log Insight virtual appliance does not come with screen so this really leaves you with two options to ensure the import operation completes:
- Log into the console (not SSH) of the virtual appliance and run the following command:
# /usr/lib/loginsight/application/bin/loginsight repository import <Path-To-Archive-Folder> >>/tmp/import.log
- SSH to the virtual appliance and run the following command:
# /usr/lib/loginsight/application/bin/loginsight repository import <Path-To-Archive-Folder> >>/tmp/import.log & # disown
Summary
Be sure to import archives to a dedicated Log Insight instance. An archive should be imported by mounting the NFS location on a Log Insight virtual appliance via the CLI. Since the import operation can take a while, it is important to run the command in a way that ensures it does not get terminated and that all output is collected. If you are looking for additional archiving functionality, be sure to check out the Log Insight Community.
© 2016, Steve Flanders. All rights reserved.
