I had just deployed a new vRealize Log Insight (vRLI) 4.0 instance in my home lab environment to investigate a behavior that I was seeing with another product, non-vRLI related. Due to the nature of the work, I needed to have a pristine vRLI environment each time to study the results. I had already forwarded some logs into vRLI and rather than deploying another instance or re-deploy the current instance, what I really wanted to be able to do is to just wipe all the logs in vRLI but did not see an option within the UI. I also could have used VM snapshots, but was hoping there was a cleaner solution that vRLI provided out of the box.

The next place I looked immediately after was Mr. Log Insight's site aka Steve Flanders blog but there was nothing there about this other than archiving. After a few Google searches, I came across this exact same question on the vRLI Ideas site but sadly there was no solution and it was dated back in 2014. Though Steve makes a good point about just letting the logs rotate out automatically, in my case, this was not an option and I needed a pristine environment.

Being the curious one, I figured there has to be a way, even if it is not officially recommended nor supported. As you probably have guessed, I did find a way but I would caution that you read the disclaimer below before proceeding further. This was something I needed to do in my lab to test a few scenarios that was non-vRLI related, but I needed syslog target, so this is why I am using vRLI 🙂

Disclaimer: This is probably not officially supported nor recommended by VMware. Please use at your own risk. YOU WILL LOSE ALL YOUR LOGS

Step 1 - SSH to your vRLI instance and stop the Log Insight service by running the following command:

/etc/init.d/loginsight stop

Step 2 - Run the following command which will list all the buckets (where your logs are stored) and their associated IDs which we will need in next step:

/usr/lib/loginsight/application/sbin/bucket-index show

Step 3 - For each of the bucket IDs returned in Step 2, you will go ahead and run the delete operation and specify the bucket ID (you will be prompted to confirm deletion):

/usr/lib/loginsight/application/sbin/bucket-index delete [BUCKET-ID]

Step 4 - Once all the buckets have been deleted, you can now start the Log Insight service by running the following command:

/etc/init.d/loginsight start

Once vRLI has started back up, you can log back into the vRLI UI and you should have a pristine environment with no logs as shown in the screenshot below.

In case you are lazy to type all those commands manually or if you have a large number of buckets, I have also created a quick bash script that will automate the entire process (why not, right?). Simply copy/paste the script into a file called purge.sh and make sure it has executable permissions and then run it.

Here is a screenshot of running the script to automatically purge all the logs from vRLI:

I suspect this is probably not a common vRLI request but if you ever need to wipe all your vRLI logs without needing to re-deploy, there is an option. Perhaps this is something the team could consider as a super duper advanced option? 🙂

7 thoughts on “How to purge all logs in vRealize Log Insight?

  1. Just the answer I needed. Was getting an alert that one of my LI nodes was having a space warning. I was confused by this as I believed LI to always keep it’s spaced trimmed to 93% usage. I dug through my LI alert emails and found one that reported two buckets as corrupted and I assumed it left them to stagnate. I used your commands to purge those two buckets to bring the storage back to 93%.
    Thanks as always for your knowledge.

  2. Hi William,
    How create CLI for autmatically delete logs from vRLI, base on time frame
    for example each month or date ?

  3. Perhaps this is something the team could consider as a super duper advanced option? ????

    Absolutely, we need this as an advacned option and or to configure at vami, to delete any buckets older than 30 days or so.

  4. Same thing can be achieved through Winscp. You are going to find bucket under path (storage/core/loginsight/cidata/store)

Thanks for the comment!

This site uses Akismet to reduce spam. Learn how your comment data is processed.