Not that I think you should ever remove Log Insight from your environment, but I have been asked how to properly remove Log Insight (e.g. re-purposing an environment) after it has been configured. Read on to learn more!
You could of course just power off Log Insight and be done with it, however there are several configurations that may remain within the environment that could lead to possible issues or unexpected behaviors in the future. When removing Log Insight, my recommendation would be to:
- Remove vROps integration – uncheck boxes and select save – this removes the objects from within vROps
- Remove vSphere integration – remove entire box and select save (be sure to remove ESXi configuration as well) – this removes the configuration from all configured ESXi hosts
- Remove VIDM integration – toggle switch and select save – this removes integration information with VIDM
- Confirm no events are being ingested (assuming you already moved traffic over) – otherwise sources may generate errors or attempt to log to whatever system hosts the logging IP in the future
- Check /admin/health > Statistics for incoming ingestion rate
- Ensure no agents are active on /admin/agents page
- Go to /explore and group by hostname to see what devices are still logging
- Remove any configured VIPs from Log Insight – in case you plan to re-use the IP addresses in the environment and power back on Log Insight
- Shutdown Log Insight
As you can see, the process is straightforward, but does require a bit of work. The most important part, in my opinion, is to ensure all the sources sending data to Log Insight are unconfigured.
© 2017, Steve Flanders. All rights reserved.