In previous versions of Log Insight when you upgraded you received system notifications for events that happen automatically as part of upgrading (e.g. maintenance mode, disconnect, reconnect, etc). In Log Insight 4.0, system notifications are suppressed during upgrade.
NOTE: This behavior is automatic and cannot be changed.
Log Insight sends a variety of information including status and health through system notifications. These system notification alerts are listed in the official documentation:
While most of the notifications are critical, a few may not be including:
- Oldest Data Will Be Unsearchable Soon (especially given: Repository Retention Time)
- Archive Failure (since this is often intermittent and this is more important: Pending Archives)
In Log Insight 4.0, an option exists to selectively disable system notification (in the past it was all or nothing). In general, I do not recommend selectively disabling alerts — because if you disable the wrong one then you may miss critical information about the health or status of you Log Insight instance. For example, instead of disabling the “Repository Retention Time”, you should change the alert threshold as discussed here.
So how do you disable certain system notifications in Log Insight 4.0? You do so from the /internal/config page. On that page, find the <alerts> section and add the following:
<alerts> <disabled-notifications> <notification pattern=”Oldest Data Will Be Unsearchable Soon .*” /> </disabled-notifications> </alerts>
As you can see, the notification pattern is a regex based on the names of the system notifications in the official documentation.
NOTE: You must end the pattern in .* as the subject of the email contains node info
If you wish to disable multiple alerts then you can add multiple patterns:
<alerts> <disabled-notifications> <notification pattern=”Oldest Data Will Be Unsearchable Soon .*” /> <notification pattern=”Archive Failure .*” /> </disabled-notifications> </alerts>
NOTE: These are really the only two system notification I would consider disabling.
Two new system notifications have been added in Log Insight 4.0:
1. Duplicate alerts
If more than one user has the same alert enabled then you will now be notified. This is important as every alert is a query and every query puts load on the system. Given you can subscribe to alerts in Log Insight 4.0, the best practice is to only have an alert enabled once.
2. Event Forwarder drops
If the event forwarder drops events then that means the remote destination will never receive the events that were dropped. The event forwarder may need to drop events for a variety of reasons including:
- Improper sizing of the event forwarder instance
- The remote destination is unavailable for an extended period of time
- Not enough threads have been configured for the event forwarder destination
NOTE: Event forwarder drops are not the same as API drops. See this post for more details.
© 2016, Steve Flanders. All rights reserved.