Geek Answers Handbook

Graylog2 - how to save log configuration up to 1 week

We use some Graylog2 servers (graylog server version 1.3.4). Since we receive too many log messages, this requires a lot of memory. I am trying to reduce log retention to 1 week, each message log older than 1 week will be deleted. However, I cannot find the value in the configuration file for this.
I used the value "max_time_per_index = 7d", but max_time_per_index seems to just determine the age of the index before it rotates and a new index is created, not the messages in that index.
So what is the best way to set message retention for 1 week? Please help me. Many thanks.

+4
source share
3 answers

One way to achieve this is to rotate your index every day and keep the maximum number of indexes to 8. This way you will always have a whole week + the current day of the logs in your Elasticsearch cluster.

elasticsearch_max_time_per_index = 1d
elasticsearch_max_number_of_indices = 8

Please note that search performance can be even better if you use more index and shorter rotation time thanks to the Graylog smart timing feature. For example, this should lead to faster search results if you have a lot of data:

elasticsearch_max_time_per_index = 12h
elasticsearch_max_number_of_indices = 16

you can even reduce the number of indexes to 15 and have a whole week of data.

+6
source

This can be easily configured using the Web GUI in Graylog_2 and later.

"/" "". "" Update configuration .

enter image description here

" ", = P1D (). , " " , "8". 7 .

enter image description here

:

Graylog Enterprise "" , ( , ).

+4

The graylog server should be configured as follows: elasticsearch_max_time_per_index = 1d elasticsearch_max_number_of_indices = 7 rotation_strategy: time note that the strategy is being used, this case should be time. He worked well.

+2
source

More articles:


All Articles