Archiving and deletion per tenant


(frame) #1

Hi Elasticsearch Team,

We have three different machines namely machine A, machine B and machine C.
These three machine are sending syslog data to our logger, which uses elastisearch for storage

In our logger there are three inputs for three machines. (machine A, B and C)

All logs are coming properly and we can view them in UI and they are stored in elasticsearch (one instance only).
Currently we have around 47,285,976 messages in 2,285 ms, searched in 3 indices.

Now my queries are as follows:

Can i archive the data coming from three separate inputs(machines) into elasticsearch for secure storage and re-import back when necessary?

Can i delete logs from elasticsearch based on the inputs(machines from which syslog is pushed to logger) or based on time and date?

Thanks in advance.

framework


(Mark Walkom) #2

Elasticsearch doesn't do encryption at rest, but you can use OS level tools to provide that.

You can, but it's not recommended as it is expensive. You are better off splitting the data into a per-customer, per time index.


(frame) #3

Thanks for your quick reply.
You said you can but expensive, could you point me to some documentation or explain me how to do this.

You also said you can segregate based on per customer, per time index.
Can you guide me how to do it.

Thanks
framework


(Mark Walkom) #4

Have a look at https://www.elastic.co/guide/en/elasticsearch/reference/5.0/docs-delete-by-query.html


(system) #5