Hello to the community!
I'm new to the stack and I have a small PROD deployment (approx 50 network devices syslog logs severity 0-4. Not sure yet about the number of hits/day ) for my client. Right now I only have one node on my cluster.
We did a POC before (by someone who left the company) and at that time he used curator to manage index. But I would like to use the build-in ILM functionality to simplify operations.
Here's the requirement :
Logs are kept at least 1 year. Audit trails regarding the last 3 months must be immediately available through the interface.
For now, I'm still on the testing phase and I decided to create a daily index (logstash output section). I have been struggling a bit on the ILM interface and I'm wondering if daily index is such a good idea. I thought about a hot phase with a maximum age (90days) then a delete phase but I see that the delete one is linked to rollover...but I don't see the use for it!
Reading the documentation and googling it somehow made things even more confusing
I thought about a hot phase with a maximum age (90days) then a delete phase but I see that the delete one is linked to rollover...but I don't see the use for it!
By specifying a max_age for the hot phase in the UI, you are enabling rollover. If rollover was not enabled on the hot phase, deletion would be based on days/hours from index creation. Also, this post details some of the benefits of the rollover pattern: https://www.elastic.co/blog/managing-time-based-indices-efficiently
For further questions about ILM the elasticsearch forum might be a better place to ask.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
