Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Graylog2- how to config logs retention to 1 week

Tags:

logging

graylog2

retention

We are using some Graylog2 servers ( graylog-server version 1.3.4). Because we receive too much of log messages, it requires a lot of memory. I am trying to reduce the logs retention to 1 week, every log messages older than 1 week will be deleted. However, I cannot find out any value in configuration file to do that.
I used "max_time_per_index = 7d" value but max_time_per_index seems just define the age of an index until it's rotated and a new index is being created, not of the messages in that index.
So, what's the best way to set message retention to 1 week? Please help me. Thanks a lot.

like image 313
SWdream Avatar asked May 19 '16 03:05

SWdream

2 Answers

This can be easily configured using the Web GUI in Graylog_2 and later.

Navigate to "System/Indices" in the Administration drop down menu. Under "Settings", click the Update configuration button.

enter image description here

Configure the Index Rotation Configuration to equal "Index Time", Rotation Period = P1D (a day). You'll have to decide whether or not you'd like to "Delete Index" or just close it, then set the Max number of indices to "8". That should keep the current day, and the last 7 days worth of indices.

enter image description here

NOTE:

Graylog Enterprise edition comes with an option to "Archive" log files, which essentially compresses them and allows you to move it to another storage location (whether to tape or just to another storage location).

like image 104
CaptJak Avatar answered Oct 14 '22 14:10

CaptJak

One way to achieve this is to rotate your index every day and keep the maximum number of index to 8. This way you will always have a full week + the current day of logs in your Elasticsearch cluster. 

elasticsearch_max_time_per_index = 1d
elasticsearch_max_number_of_indices = 8

Note that your search performance can be even better by using more index and less rotation time thanks to the intelligent time range selection feature of Graylog. For example, this should give faster search results if you have many datas : 

elasticsearch_max_time_per_index = 12h
elasticsearch_max_number_of_indices = 16

you can even drop your number of indices to 15 and still have a whole week of data.

like image 31
Babacar Diassé Avatar answered Oct 14 '22 15:10

Babacar Diassé
Sign in to Comment

Related questions

Not able to see the log file in Yii
log4j properties: LevelMatchFilter doesn't work
Logback different files for different levels
Using python logging module to info messages to one file and err to another file [closed]
Forwarding journald to Cloudwatch Logs
Logger not working Elixir
Make git log produce command output 'inline'
Gunicorn - No access logs
Using Console.WriteLine within a Windows Forms application
Simple C++ logger by using singleton pattern
Logging RestClient in a Rails app
Log stack trace for python warning
Java logging framework - with printf() support
How to log the second argument in log4j
How to view syslog in ubuntu?
GAE - Python 3.7 - How to log?
os_log - use of unresolved identifier error
How to keep log tail alive on Heroku using ssh?
pom.xml shows multiple errors on including log4j dependency
Python logging won't set a logging level using basicConfig

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!