Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Maximum LEM volume size?

What is the maximum size I can increase my LEM volume to for maximizing my log data retention?

Find more posts tagged with

Accepted answers

Prior to LEM version 5.6, the limit was 1TB. With version 5.6, the 1TB limit has been removed. The new limit is 2.2TB, which is the next most common barrier is 2.2TB, based on virtual infrastructure capabilities to address a single disk. This is according to http://thwack.solarwinds.com/community/solarwinds-community/product-blog/blog?start=45.

All comments

njoylif

great question. I'm about to face the same. Also, what are the system recommendations for proc/RAM for more data if any?

ssei

byrona

Dang, I new there was a blog that covered that but I wasn't able to find it before asking the question here. Thanks for pointing that out!

byrona

So, after thinking about this I have a follow-up question...

What if you need to store more than 2.2TB worth of data to meet a data retention requirement?

ssei

Here's an example related to PCI. PCI requires 90 days of logs online, with 365 available offline. In this scenario, make sure that you have a DB size that allows the 90 days to be online, plus a buffer, just to be sure. Then save your backups to have the 365 days offline available. In your question, you didn't elaborate on what your data retention requirements are, but this is an example.

If you have your DB size maxed out and still don't have enough room for your *online* data retention requirement, then you'll have to look at a couple of things. I would recommend exploring every option available to make certain that you're only logging what needs to be logged. Examine your Windows audit policy for instance (if you're in a Windows environment). As you probably know, one checkbox there can make a considerable difference in the number of events that get sent to LEM.

The only option I know of that would help you past the 2.2TB limit would be another complete LEM system. Then you would have some systems logging to one, and others logging to another. In your LEM console, you would be able to easily switch between the two LEM 'environments'. As I understand it, nDepth queries can be used to run against either DB, but filters can show traffic from both LEM systems simultaneously. I could be mistaken on those specific details.

byrona

Thanks, that is along the lines of what I was expecting. I am curious though, my understanding is that if you need to use one of those backups; when you restore it you will replace your current database with the backup, is that correct?

evanr

When you say 90 days online. Your are referring to being able to query results via ndepth for up to 90 days correct? For someone also in the PCI realm. I would be interested in some of the industry standard best practices that others are leveraging with LEM. We currently do a monthly archiveconfig, and weekly backupconfigs and logbackupconfigs.

It would also be helpful for an actual list of audit policies to enable, this being my first time at the rodeo regarding PCI. For example they say Object Access "Success and Failure". But are they all enabled? I don't really want to turn on audit filtering platform connection..etc and have our logs explode. Any guidance is appreciated. Thanks