Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

log rotation script for logstash to purge logs greater than two weeks old

Tags:

logstash

I'm trying to come up with the best way to purge the logs from a logstash server that are more than two weeks old.

For those that aren't aware, Logstash stores it's logs inside of Elasticsearch. We have a really great stable ELK stack (Elasticsearch/Logstash/Kibana) where I work.

The typical way of deleting a logstash index is with a curl command like this one:

#curl --user admin -XDELETE http://localhost:9200/logstash-2015.06.06
Enter host password for user 'admin':
{"acknowledged":true}

Now what I'm looking for is a programmatic way of changing the dates in the logstash index to automatically purge any index that's greater than two weeks old.

I'm thinking of using bash to get this done.

I'd appreciate any examples of how to do this or advice you may have!

Thanks

Thanks!! But do you think you can help me get this going using auth?

This is what I tried so far:

[root@logs:~] #curator --help | grep -i auth
  --http_auth TEXT   Use Basic Authentication ex: user:pass
[root@logs:~] #curator delete indices --older-than 14 --time-unit days --timestring %Y.%m.%d --regex '^logstash-' --http_auth admin:secretsauce
Error: no such option: --http_auth
[root@logs:~] #curator delete indices --older-than 14 --time-unit days --timestring %Y.%m.%d --regex '^logstash-' --http_auth admin:secretsauce
Error: no such option: --http_auth
[root@logs:~] #curator delete indices --http_auth admin:secretsauce --older-than 14 --time-unit days --timestring %Y.%m.%d --regex '^logstash-'
Error: no such option: --http_auth
like image 574
bluethundr Avatar asked Dec 09 '22 02:12

bluethundr


1 Answers

Use Curator. To delete indexes older than 14 days you can run this command:

curator delete indices --older-than 14 --time-unit days --timestring %Y.%m.%d --regex '^logstash-'
like image 186
Magnus Bäck Avatar answered Jan 30 '23 03:01

Magnus Bäck