Graylog2- how to config logs retention to 1 week

眉间皱痕 提交于 2019-12-05 06:42:09

This can be easily configured using the Web GUI in Graylog_2 and later.

Navigate to "System/Indices" in the Administration drop down menu. Under "Settings", click the Update configuration button.

Configure the Index Rotation Configuration to equal "Index Time", Rotation Period = P1D (a day). You'll have to decide whether or not you'd like to "Delete Index" or just close it, then set the Max number of indices to "8". That should keep the current day, and the last 7 days worth of indices.

NOTE:

Graylog Enterprise edition comes with an option to "Archive" log files, which essentially compresses them and allows you to move it to another storage location (whether to tape or just to another storage location).

One way to achieve this is to rotate your index every day and keep the maximum number of index to 8. This way you will always have a full week + the current day of logs in your Elasticsearch cluster.

elasticsearch_max_time_per_index = 1d
elasticsearch_max_number_of_indices = 8

Note that your search performance can be even better by using more index and less rotation time thanks to the intelligent time range selection feature of Graylog. For example, this should give faster search results if you have many datas :

elasticsearch_max_time_per_index = 12h
elasticsearch_max_number_of_indices = 16

you can even drop your number of indices to 15 and still have a whole week of data.

graylog server should be configured as below: elasticsearch_max_time_per_index = 1d elasticsearch_max_number_of_indices = 7 rotation_strategy: time please note that, strategy is used this case must be time. It worked well.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!