Click here to expand

    Disk Monitoring for Search Nodes in EventlogAnalyzer

    All the live and searchable logs processed by EventLog Analyzer are stored in ElasticSearch, an open-source search engine referred to as Search Node or ES. The processing of logs and preparation for search is called indexing. All the indexed data are stored in ElasticSearch data search.

    Locating data folder for Elasticsearch

    • In a standalone build, the data is stored by default in <EventlogAnalyzer>\ES\data folder. This can be updated in the <EventlogAnalyzer>\ES\config\elasticsearch.yml file.
    • If EventLog Analyzer is installed with Log360, the data can be found in the <ManageEngine>\elasticsearch\ES\data folder. This can be updated in the <ManageEngine>\elasticsearch\ES\config\elasticsearch.yml file.
    • If the standalone EventLog Analyzer is integrated with Log360 manually, then the data is distributed between <EventlogAnalyzer>\ES\data folder and <ManageEngine>\elasticsearch\ES\data folder.
    • EventLog Analyzer's search data can also be distributed on multiple machines with the help of Log360's Search Engine Management. SEM creates a cluster of ElasticSearch which distributes the data and the search load using multiple machines.

    EventLog Analyzer monitors the data folder(s) of ElasticSearch for free disk space and will automatically stop indexing if the drive where ES's data is stored has only 5GB of disk space left. When indexing is stopped, all the new processed data will be stored in <EventlogAnalyzer>\ES\CachedRecord folder. These cached logs will automatically be processed when the indexing restarts.

    • If any of the nodes are full, a mail will be sent with Disk full on search nodes as the subject line.
    • Once in 6 hours, a mail will be sent with the list of all the nodes that are still full.
    • If the indexing stops, the user will receive a mail with Indexing stopped in EventLog Analyzer as the subject line. The user will also receive a notification on the EventLog Analyzer dashboard.
    1. Indexing will not start until the disk space is increased on the data drive of ES. EventLog Analyzer will automatically attempt to carry out the indexing process every 10 minutes. You can quickstart the process with the Restart Indexer option.

      Disk Monitoring for Search Nodes in EventlogAnalyzer

    2. Disk space should be cleared up or increased before restarting the indexer.

      Disk Monitoring for Search Nodes in EventlogAnalyzer

    3. If disk space is sufficient now, the indexing process will restart.

      Disk Monitoring for Search Nodes in EventlogAnalyzer

    4. If the disk monitor finds that the disk has not been cleared up, indexing will not restart.

      Disk Monitoring for Search Nodes in EventlogAnalyzer

    5. A list of all the full search nodes will be displayed under the bell notification icon present in the EventLog Analyzer console.

      Disk Monitoring for Search Nodes in EventlogAnalyzer

    Note: It is recommended that you have at least 20% free disk space on all the search node data drives to avoid non-indexing when there's an increase in the flow of logs or any other process uses up disk space on the server.

    Don't see what you're looking for?

    •  

      Visit our community

      Post your questions in the forum.

       
    •  

      Request additional resources

      Send us your requirements.

       
    •  

      Need implementation assistance?

      Try onboarding

       
    Get download link