I had just deployed a new vRealize Log Insight (vRLI) 4.0 instance in my home lab environment to investigate a behavior that I was seeing with another product, non-vRLI related. Due to the nature of the work, I needed to have a pristine vRLI environment each time to study the results. I had already forwarded some logs into vRLI and rather than deploying another instance or re-deploy the current instance, what I really wanted to be able to do is to just wipe all the logs in vRLI but did not see an option within the UI. I also could have used VM snapshots, but was hoping there was a cleaner solution that vRLI provided out of the box.

The next place I looked immediately after was Mr. Log Insight's site aka Steve Flanders blog but there was nothing there about this other than archiving. After a few Google searches, I came across this exact same question on the vRLI Ideas site but sadly there was no solution and it was dated back in 2014. Though Steve makes a good point about just letting the logs rotate out automatically, in my case, this was not an option and I needed a pristine environment.

Being the curious one, I figured there has to be a way, even if it is not officially recommended nor supported. As you probably have guessed, I did find a way but I would caution that you read the disclaimer below before proceeding further. This was something I needed to do in my lab to test a few scenarios that was non-vRLI related, but I needed syslog target, so this is why I am using vRLI 🙂

Disclaimer: This is probably not officially supported nor recommended by VMware. Please use at your own risk. YOU WILL LOSE ALL YOUR LOGS

Step 1 - SSH to your vRLI instance and stop the Log Insight service by running the following command:

/etc/init.d/loginsight stop

Step 2 - Run the following command which will list all the buckets (where your logs are stored) and their associated IDs which we will need in next step:

/usr/lib/loginsight/application/sbin/bucket-index show



Step 3 - For each of the bucket IDs returned in Step 2, you will go ahead and run the delete operation and specify the bucket ID (you will be prompted to confirm deletion):

/usr/lib/loginsight/application/sbin/bucket-index delete [BUCKET-ID]



Step 4 - Once all the buckets have been deleted, you can now start the Log Insight service by running the following command:

/etc/init.d/loginsight start

Once vRLI has started back up, you can log back into the vRLI UI and you should have a pristine environment with no logs as shown in the screenshot below.



In case you are lazy to type all those commands manually or if you have a large number of buckets, I have also created a quick bash script that will automate the entire process (why not, right?). Simply copy/paste the script into a file called purge.sh and make sure it has executable permissions and then run it.

#!/bin/bash /etc/init.d/loginsight stop cat > /tmp/vrli-purge-answer << __ANSWER__ y __ANSWER__ for bucket in $(/usr/lib/loginsight/application/sbin/bucket-index show | tac | awk '{split($0,a,"="); split(a[2],b,","); print b[1]}') do echo "Deleting bucket $bucket ..." /usr/lib/loginsight/application/sbin/bucket-index delete $bucket < /tmp/vrli-purge-answer done rm -f /tmp/vrli-purge-answer /etc/init.d/loginsight start 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #!/bin/bash / etc / init . d / loginsight stop cat > / tmp / vrli - purge - answer << __ANSWER_ _ y __ANSWER__ for bucket in $ ( / usr / lib / loginsight / application / sbin / bucket - index show | tac | awk '{split($0,a,"="); split(a[2],b,","); print b[1]}' ) do echo "Deleting bucket $bucket ..." / usr / lib / loginsight / application / sbin / bucket - index delete $ bucket < / tmp / vrli - purge - answer done rm - f / tmp / vrli - purge - answer / etc / init . d / loginsight start

Here is a screenshot of running the script to automatically purge all the logs from vRLI:



I suspect this is probably not a common vRLI request but if you ever need to wipe all your vRLI logs without needing to re-deploy, there is an option. Perhaps this is something the team could consider as a super duper advanced option? 🙂