Hello to the community!
I'm new to the stack and I have a small PROD deployment (approx 50 network devices syslog logs severity 0-4. Not sure yet about the number of hits/day ) for my client. Right now I only have one node on my cluster.
We did a POC before (by someone who left the company) and at that time he used curator to manage index. But I would like to use the build-in ILM functionality to simplify operations.
Here's the requirement :
Logs are kept at least 1 year. Audit trails regarding the last 3 months must be immediately available through the interface.
For now, I'm still on the testing phase and I decided to create a daily index (logstash output section). I have been struggling a bit on the ILM interface and I'm wondering if daily index is such a good idea. I thought about a hot phase with a maximum age (90days) then a delete phase but I see that the delete one is linked to rollover...but I don't see the use for it!
Reading the documentation and googling it somehow made things even more confusing
Thanks again for the help!