Hello together,
we are currently testing some freeware syslog products to collect system and log messages of some of our servers (something about 20 Servers).
Out favorite product which would be fine for us is graylog2 but there's one major problem:
With only 10 servers transferring their logs to the graylog server we had something about 100GB in only three weeks of log data on the graylog server.
Graylog2 uninhibitedly fills the disk with log data until it's completely full an then simply stops working. It runs against the wall.
There seems to be no way to tell the elasticsearch database (or graylog itself) to only fill up the log storage on the graylog server until the remaining free disk space is lower than 20% (or some other meaningful value) and then start to delelet the oldest log data.
At the moment we're in a testing phase and only work with one server that has graylog2, mongoDB and elasticsearch on it. It's an Ubuntu 14.04.
Thanks in advance.
mfg
Matthias