There are a number of useful concepts to consider when you manage data collection devices for off-box log storage. This reference material might prove helpful in setting up and maintaining your data collection device (DCD) configuration.
You can use the BIG-IQ® user interface to restore data collection device (DCD) snapshots.
|To restore from the most recent snapshot:||Next to Last Snapshot/Time, click Restore Latest.|
|To select the snapshot that you want to restore:||
If you determine that there are issues with a specific snapshot, you can delete it so that you cannot accidentally restore to it in the future.
The read-only Master Device field displays the host name of the BIG-IQ device that manages and monitors the health of this DCD cluster.
The optimum settings used to configure your data collection device (DCD) indices depend on a number of key factors.
This table shows the default configuration values for each index running on BIG-IQ® Centralized Management. These values are based on anticipated data ingestion rates and typical usage patterns.
|Component||Index Name||Minimum Number of DCDs||Rotation Policy||Retained Index Count||Approximate time window||Size of /var file system|
|Access||access-event-logs||2||Time/5 days||19||95 days||500 GB|
|Access||access-stats||2||Time/5 days||19||95 days||500 GB|
|Web Application Security||asmindex||2||Size/100000 MB||5||N/A||500 GB|
|FPS||websafe||2||Time/30 days||100||8 years||10 GB|
If multiple modules are running on a given DCD or if you have higher inbound data rates, you might have to adjust these values to keep the /var file system from filling up. (There is a default alert to warn of this when the file system becomes 80% full.)
The simplest resolution is to revise the retained index count; lowering this value reduces the disk space requirements, but it will also reduce the amount of data available for queries. For details on changing this setting, refer to the modifying indices topic for the component you are configuring.